ianmclachlan
asked on
Access-List for Multiple VLAN on 3560 Switch
Hi Guys,
I'm trying to work out the rules/logical for creating an access-list that blocks each vlan from each other apart from the default which is the gateway.
So I have the following:
Default Vlan - 192.168.1.0 with the gateway being 192.168.1.1... thereafter
Vlan10 - 192.168.100.0
Vlan20 - 192.168.101.0
Vlan30 - 192.168.102.0
** All Class C
I would like Vlan 10, 20, 30 to be able to see the default, but I want to block them from seeing each other. At the moment I can ping between vlans.
So as a test, I created an access-list:
access-list 10 deny host 192.168.101.0
and added this to my vlan10 interface:
ip access-group 10 in
My thinking was that this should deny traffic coming in from Vlan20 - 192.168.101.0 but would allow me access to default & Vlan30. (At this point I have to confess that Cisco IOS is clearly not my bag)
However, it didn't work. It seemed to blocked everything - couldn't ping to any other vlans. I tried different combinations with permit/deny but again I had no joy. There is obviously a little more to it. Google came up with lots of info (maybe too much) as my requirements are pretty basic, thought I would ask.
Any help offered would be greatly appreciated
Thanks
IM
I'm trying to work out the rules/logical for creating an access-list that blocks each vlan from each other apart from the default which is the gateway.
So I have the following:
Default Vlan - 192.168.1.0 with the gateway being 192.168.1.1... thereafter
Vlan10 - 192.168.100.0
Vlan20 - 192.168.101.0
Vlan30 - 192.168.102.0
** All Class C
I would like Vlan 10, 20, 30 to be able to see the default, but I want to block them from seeing each other. At the moment I can ping between vlans.
So as a test, I created an access-list:
access-list 10 deny host 192.168.101.0
and added this to my vlan10 interface:
ip access-group 10 in
My thinking was that this should deny traffic coming in from Vlan20 - 192.168.101.0 but would allow me access to default & Vlan30. (At this point I have to confess that Cisco IOS is clearly not my bag)
However, it didn't work. It seemed to blocked everything - couldn't ping to any other vlans. I tried different combinations with permit/deny but again I had no joy. There is obviously a little more to it. Google came up with lots of info (maybe too much) as my requirements are pretty basic, thought I would ask.
Any help offered would be greatly appreciated
Thanks
IM
ASKER
Thanks for your reply.
I didn't seem to work. I was still able to ping from a system in VLAN10 to VLAN20 (192.168.101.0). I have attached parts of the IOS for reference.
Building configuration...
Current configuration : 3650 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname xxxxxxx
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
!
ip dhcp pool VLAN10
network 192.168.100.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool VLAN20
network 192.168.101.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool Vlan30
network 192.168.102.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan40
network 192.168.103.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan50
network 192.168.104.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan60
network 192.168.105.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan70
network 192.168.106.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan80
network 192.168.107.0 255.255.255.0
default-router 192.168.1.1
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
switchport access vlan 80
!
interface FastEthernet0/10
switchport access vlan 80
!
interface FastEthernet0/11
switchport access vlan 10
!
interface FastEthernet0/12
switchport access vlan 10
!
interface FastEthernet0/13
switchport access vlan 20
!
interface FastEthernet0/14
switchport access vlan 20
!
interface FastEthernet0/15
switchport access vlan 30
!
interface FastEthernet0/16
switchport access vlan 30
!
interface FastEthernet0/17
switchport access vlan 40
!
interface FastEthernet0/18
switchport access vlan 40
!
interface FastEthernet0/19
switchport access vlan 50
!
interface FastEthernet0/20
switchport access vlan 50
!
interface FastEthernet0/21
switchport access vlan 60
!
interface FastEthernet0/22
switchport access vlan 60
!
interface FastEthernet0/23
switchport access vlan 70
!
interface FastEthernet0/24
switchport access vlan 70
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
mac-address 00d0.d328.a201
ip address 192.168.100.2 255.255.255.0
ip access-group 10 in
!
interface Vlan20
mac-address 00d0.d328.a202
ip address 192.168.101.2 255.255.255.0
!
interface Vlan30
mac-address 00d0.d328.a203
ip address 192.168.102.2 255.255.255.0
!
interface Vlan40
mac-address 00d0.d328.a204
ip address 192.168.103.254 255.255.255.0
!
interface Vlan50
mac-address 00d0.d328.a205
ip address 192.168.104.2 255.255.255.0
!
interface Vlan60
mac-address 00d0.d328.a206
ip address 192.168.105.2 255.255.255.0
!
interface Vlan70
mac-address 00d0.d328.a207
ip address 192.168.106.2 255.255.255.0
!
interface Vlan80
mac-address 00d0.d328.a208
ip address 192.168.107.2 255.255.255.0
!
router rip
!
ip classless
!
ip flow-export version 9
!
access-list 10 deny host 192.168.101.0
access-list 10 permit any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
Once I get the logic correct I will be able to create access-lists for the other vlans. Based on your comments it all looks ok.
IM
One question - if it had worked, why would I not be able to ping the default gateway? The traffic (ICMP or IP) is not blocked on 192.168.1.0
I didn't seem to work. I was still able to ping from a system in VLAN10 to VLAN20 (192.168.101.0). I have attached parts of the IOS for reference.
Building configuration...
Current configuration : 3650 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname xxxxxxx
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
!
ip dhcp pool VLAN10
network 192.168.100.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool VLAN20
network 192.168.101.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool Vlan30
network 192.168.102.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan40
network 192.168.103.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan50
network 192.168.104.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan60
network 192.168.105.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan70
network 192.168.106.0 255.255.255.0
default-router 192.168.1.1
ip dhcp pool vlan80
network 192.168.107.0 255.255.255.0
default-router 192.168.1.1
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
switchport access vlan 80
!
interface FastEthernet0/10
switchport access vlan 80
!
interface FastEthernet0/11
switchport access vlan 10
!
interface FastEthernet0/12
switchport access vlan 10
!
interface FastEthernet0/13
switchport access vlan 20
!
interface FastEthernet0/14
switchport access vlan 20
!
interface FastEthernet0/15
switchport access vlan 30
!
interface FastEthernet0/16
switchport access vlan 30
!
interface FastEthernet0/17
switchport access vlan 40
!
interface FastEthernet0/18
switchport access vlan 40
!
interface FastEthernet0/19
switchport access vlan 50
!
interface FastEthernet0/20
switchport access vlan 50
!
interface FastEthernet0/21
switchport access vlan 60
!
interface FastEthernet0/22
switchport access vlan 60
!
interface FastEthernet0/23
switchport access vlan 70
!
interface FastEthernet0/24
switchport access vlan 70
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
mac-address 00d0.d328.a201
ip address 192.168.100.2 255.255.255.0
ip access-group 10 in
!
interface Vlan20
mac-address 00d0.d328.a202
ip address 192.168.101.2 255.255.255.0
!
interface Vlan30
mac-address 00d0.d328.a203
ip address 192.168.102.2 255.255.255.0
!
interface Vlan40
mac-address 00d0.d328.a204
ip address 192.168.103.254 255.255.255.0
!
interface Vlan50
mac-address 00d0.d328.a205
ip address 192.168.104.2 255.255.255.0
!
interface Vlan60
mac-address 00d0.d328.a206
ip address 192.168.105.2 255.255.255.0
!
interface Vlan70
mac-address 00d0.d328.a207
ip address 192.168.106.2 255.255.255.0
!
interface Vlan80
mac-address 00d0.d328.a208
ip address 192.168.107.2 255.255.255.0
!
router rip
!
ip classless
!
ip flow-export version 9
!
access-list 10 deny host 192.168.101.0
access-list 10 permit any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
Once I get the logic correct I will be able to create access-lists for the other vlans. Based on your comments it all looks ok.
IM
One question - if it had worked, why would I not be able to ping the default gateway? The traffic (ICMP or IP) is not blocked on 192.168.1.0
ASKER
sorry ... ignore that comment ... HOST is still there
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OK
;)
;)
ASKER
Sorry have changed it properly now:
access-list 10 deny 192.168.101.0 0.0.0.255
access-list 10 permit any
However I can still ping 101??
Very odd
access-list 10 deny 192.168.101.0 0.0.0.255
access-list 10 permit any
However I can still ping 101??
Very odd
Did you apply it under SVI interface?
ASKER
It worked with the extended ACL. Really strange it didn't work in standard
Thanks so much. Really appreciated your input. Of course I will award you full marks.
Thanks again
IM
Thanks so much. Really appreciated your input. Of course I will award you full marks.
Thanks again
IM
ASKER
Thanks for the info.
With standard try to change direction...
access-list 10 deny host 192.168.101.0
access-list 10 permit any
interface Vlan10
ip access-group 10 out
I guess that traffic will be blocked after 101.0/24 respond to ping...
Typically if ACL is OK written and it is not working as it suppose to, change direction in which it is applied.
But it is less secure approach, and waste unnecessary some amount of traffic.
I rarely use standard ACL for filtering. :)
access-list 10 deny host 192.168.101.0
access-list 10 permit any
interface Vlan10
ip access-group 10 out
I guess that traffic will be blocked after 101.0/24 respond to ping...
Typically if ACL is OK written and it is not working as it suppose to, change direction in which it is applied.
But it is less secure approach, and waste unnecessary some amount of traffic.
I rarely use standard ACL for filtering. :)
By default if not permitted specifically at the end - all traffic that is not permitted in ACL statements will be blocked.
:)
To create one ACL that can be applied to all interfaces
access-list 10 permit x.x.x.x
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any
You will not be able to ping default gateway, however only traffic for local VLANs will be blocked.
The first line permit is to allow addresses that should be allowed (in the case you need it - if not it can be removed)
or you can do it as you planned:
access-list 10 deny 192.168.101.0
access-list 10 permit any
interface Vlan 10
ip access-group 10 in
is OK direction to apply ACL.