Solved

Access-List for Multiple VLAN on 3560 Switch

Posted on 2016-10-29
10
33 Views
Last Modified: 2016-10-29
Hi Guys,

I'm trying to work out the rules/logical for creating an access-list that blocks each vlan from each other apart from the default which is the gateway.

So I have the following:

Default Vlan -  192.168.1.0    with the gateway being 192.168.1.1... thereafter

Vlan10 - 192.168.100.0
Vlan20 - 192.168.101.0
Vlan30 - 192.168.102.0

** All Class C

I would like Vlan 10, 20, 30 to be able to see the default, but I want to block them from seeing each other.  At the moment I can ping between vlans.

So as a test, I created an access-list:

access-list 10 deny host 192.168.101.0

and added this to my vlan10 interface:

ip access-group 10 in

My thinking was that this should deny traffic coming in from Vlan20 - 192.168.101.0 but would allow me access to default & Vlan30.  (At this point I have to confess that Cisco IOS is clearly not my bag)

However, it didn't work.  It seemed to blocked everything - couldn't ping to any other vlans.  I tried different combinations with  permit/deny but again I had no joy.   There is obviously a little more to it.  Google came up with lots of info (maybe too much) as my requirements are pretty basic, thought I would ask.

Any help offered would be greatly appreciated

Thanks

IM
0
Comment
Question by:ianmclachlan
  • 5
  • 5
10 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41865256
access-list 10 deny host 192.168.101.0
Host is problem it will block only traffic from that specific IP address. And you are missing permit any.
By default if not permitted specifically at the end - all traffic that is not permitted in ACL statements will be blocked.
:)
To create one ACL that can be applied to all interfaces

access-list 10 permit x.x.x.x
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any

You will not be able to ping default gateway, however only traffic for local VLANs will be blocked.
The first line permit is to allow addresses that should be allowed (in the case you need it - if not it can be removed)

or you can do it as you planned:
access-list 10 deny 192.168.101.0
access-list 10 permit any

interface Vlan 10
ip access-group 10 in

is OK direction to apply ACL.
0
 

Author Comment

by:ianmclachlan
ID: 41865284
Thanks for your reply.

I didn't seem to work.  I was still able to ping from a system in VLAN10 to VLAN20 (192.168.101.0).  I have attached parts of the IOS for reference.

 Building configuration...

Current configuration : 3650 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname xxxxxxx
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
!
ip dhcp pool VLAN10
 network 192.168.100.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool VLAN20
 network 192.168.101.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool Vlan30
 network 192.168.102.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan40
 network 192.168.103.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan50
 network 192.168.104.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan60
 network 192.168.105.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan70
 network 192.168.106.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool vlan80
 network 192.168.107.0 255.255.255.0
 default-router 192.168.1.1
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
 switchport access vlan 80
!
interface FastEthernet0/10
 switchport access vlan 80
!
interface FastEthernet0/11
 switchport access vlan 10
!
interface FastEthernet0/12
 switchport access vlan 10
!
interface FastEthernet0/13
 switchport access vlan 20
!
interface FastEthernet0/14
 switchport access vlan 20
!
interface FastEthernet0/15
 switchport access vlan 30
!
interface FastEthernet0/16
 switchport access vlan 30
!
interface FastEthernet0/17
 switchport access vlan 40
!
interface FastEthernet0/18
 switchport access vlan 40
!
interface FastEthernet0/19
 switchport access vlan 50
!
interface FastEthernet0/20
 switchport access vlan 50
!
interface FastEthernet0/21
 switchport access vlan 60
!
interface FastEthernet0/22
 switchport access vlan 60
!
interface FastEthernet0/23
 switchport access vlan 70
!
interface FastEthernet0/24
 switchport access vlan 70
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
 mac-address 00d0.d328.a201
 ip address 192.168.100.2 255.255.255.0
 ip access-group 10 in
!
interface Vlan20
 mac-address 00d0.d328.a202
 ip address 192.168.101.2 255.255.255.0
!
interface Vlan30
 mac-address 00d0.d328.a203
 ip address 192.168.102.2 255.255.255.0
!
interface Vlan40
 mac-address 00d0.d328.a204
 ip address 192.168.103.254 255.255.255.0
!
interface Vlan50
 mac-address 00d0.d328.a205
 ip address 192.168.104.2 255.255.255.0
!
interface Vlan60
 mac-address 00d0.d328.a206
 ip address 192.168.105.2 255.255.255.0
!
interface Vlan70
 mac-address 00d0.d328.a207
 ip address 192.168.106.2 255.255.255.0
!
interface Vlan80
 mac-address 00d0.d328.a208
 ip address 192.168.107.2 255.255.255.0
!
router rip
!
ip classless
!
ip flow-export version 9
!
access-list 10 deny host 192.168.101.0
access-list 10 permit any
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end


Once I get the logic correct I will be able to create access-lists for the other vlans.  Based on your comments it all looks ok.

IM


One question - if it had worked, why would I not be able to ping the default gateway?  The traffic (ICMP or IP) is not blocked on 192.168.1.0
0
 

Author Comment

by:ianmclachlan
ID: 41865287
sorry ... ignore that comment ...  HOST is still there
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41865289
Strange, it should work.

However, typically I would use extended ACL.

access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
! or    access-list 100 deny ip any 192.168.101.0 0.0.0.255   <-- so any IP address from VLAN can't access .101.0/24 network
access-list 100 permit any any

interface vlan 10
 access-group 100 in

This should work.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41865295
OK
;)
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:ianmclachlan
ID: 41865299
Sorry have changed it properly now:

access-list 10 deny 192.168.101.0 0.0.0.255
access-list 10 permit any

However I can still ping 101??  

Very odd
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41865300
Did you apply it under SVI interface?
0
 

Author Comment

by:ianmclachlan
ID: 41865304
It worked with the extended ACL.  Really strange it didn't work in standard

Thanks so much. Really appreciated your input.  Of course I will award you full marks.


Thanks again

IM
0
 

Author Closing Comment

by:ianmclachlan
ID: 41865306
Thanks for the info.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41865309
With standard try to change direction...

access-list 10 deny host 192.168.101.0
access-list 10 permit any

interface Vlan10
 ip access-group 10 out

I guess that traffic will be blocked after 101.0/24 respond to ping...
Typically if ACL is OK written and it is not working as it suppose to, change direction in which it is applied.
But it is less secure approach, and waste unnecessary some amount of traffic.
I rarely use standard ACL for filtering. :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now