access-list not working

Answered Question
Mar 10th, 2007

hi

i have two vlans on running on a cisco 6509 switch.

vlan 1 is in net 10.1.0.0 255.255.240.0

vlan 2 is in net 172.31.2.0 255.255.255.0

i want to block vlan 2 from accessing vlan 1.

my access-lists are like ths

access-list 101 deny ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255

permit ip any any

access-list 101 deny icmp 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255 echo

permit icmp any any

access-list 101 deny tcp 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255 eq 23

permit tcp any any

int vlan 2

ip access-group 101 in

these ACLs are not working i have even tried to apply them out boound on vlan 2..i have also tried to configure the opposite of the ACLs and apply it on int vlan 1,trying with in and out but stil the access-list is not working.

where am i going wrong...how do i stop the vlans from communicating without disabling ip routing no my switch.

I have this problem too.
0 votes
Correct Answer by cratejockey about 9 years 8 months ago

To prevent users from telneting to your VTY ports you should create an ACL and apply it to your VTY ports. You need to put some thought into this ACL. If you are on a LAN its not a big deal you just select the management Range and allow it access. However if you are on a WAN and may have multiple admin ranges and/or you connect via VPN you need to take all possible admin address ranges into account. A trick you'll see is that for testing purposes you usually allow all access between your actual devices Admin IP's. This can be a quick way around VTY access lists if your at a WAN site and have forgot to allow an address or two for admin purposes. Then you can simply telnet to your router and telnet to the device on the far site that you need access to. This might not be the most secure setup but it can be a convenient backdoor.

Good Luck.

www.staticnat.com

Correct Answer by franruss about 9 years 9 months ago

Hello,

Probably the best feature on the 6509 to accomplish this would be VACL (vlan access control lists). Documentation on this feature can be found at:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm#wp1055968

!Traffic you want to drop (in the input direction on vlan2)

Router(config)#access-list 101 permit ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.0.15

!Catchall acl to allow other traffic out

Router(config)#access-list 102 permit ip any any

!First identify and drop the traffic from vlan1 to vlan2

Router(config)# vlan access-map mymap 10

Router(config-access-map)# match ip address 101

Router(config-access-map)# action drop

Router(config-access-map)# exit

!Forward all other traffic

Router(config)# vlan access-map mymap 20

Router(config-access-map)# match ip address 102

Router(config-access-map)# action forward

Router(config-access-map)# exit

!Apply vlan map mymap to vlan 2

Router(config)# vlan filter mymap vlan-list 2

One last question, if you are already denying all ip traffic with the first line of your posted acl, then why do you need the next two lines denying icmp and tcp?

Hope this helps!

Frank

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
glen.grant Sat, 03/10/2007 - 05:01

It looks like your first option should work for blocking vlan2 to 1 and it should be applied inbound on vlan 2 as you have done . How have you determined it isn't working? Are you still able to ping from one vlan to the other ?

sundar.palaniappan Sat, 03/10/2007 - 05:22

If you are simply trying to block all communication between the two vlans then an ACL with two statements like this should take care of it. If you have a different requirement then clarify what protocols, like ICMP/TCP, do you want to filter.

access-list 101 deny ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255

access-list 101 permit ip any any

int vlan 2

ip access-group 101 in

The above ACL would deny all IP traffic originating from 172.31.2.0/24 destined to 10.1.0.0/20 network and permit all other traffic from vlan2. When you deny/permit IP all the protocols that are part of IP suite are included in it.

I recommend you review this document to get a good understanding of how to configure ACLs.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

HTH

Sundar

akobwaycct Mon, 03/12/2007 - 02:01

i want to filter all ip trafic icluding telnet and icmp packets.

Correct Answer
franruss Sat, 03/10/2007 - 12:53

Hello,

Probably the best feature on the 6509 to accomplish this would be VACL (vlan access control lists). Documentation on this feature can be found at:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm#wp1055968

!Traffic you want to drop (in the input direction on vlan2)

Router(config)#access-list 101 permit ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.0.15

!Catchall acl to allow other traffic out

Router(config)#access-list 102 permit ip any any

!First identify and drop the traffic from vlan1 to vlan2

Router(config)# vlan access-map mymap 10

Router(config-access-map)# match ip address 101

Router(config-access-map)# action drop

Router(config-access-map)# exit

!Forward all other traffic

Router(config)# vlan access-map mymap 20

Router(config-access-map)# match ip address 102

Router(config-access-map)# action forward

Router(config-access-map)# exit

!Apply vlan map mymap to vlan 2

Router(config)# vlan filter mymap vlan-list 2

One last question, if you are already denying all ip traffic with the first line of your posted acl, then why do you need the next two lines denying icmp and tcp?

Hope this helps!

Frank

akobwaycct Mon, 03/12/2007 - 01:58

i was thinking that the first ACL will only block all ip traffic but still allow tcp and icmp..so a you saying that the firts ACL is ok to block tcp and icmp

cratejockey Mon, 03/12/2007 - 04:46

TCP and ICMP are sub-sets of the IP protocol stack. By blocking IP you block all protocols. Say you were wanting to just block port 80 traffic but allow all other traffic then you would write;

access-list 100 deny tcp x.x.x.x x.x.x.x x.x.x.x x.x.x.x eq 80

Hope this helps.

www.staticnat.com

akobwaycct Mon, 03/12/2007 - 05:52

the problem is that i dont want users from the other vlan to telnet to the default gateway of another vlan..i did understand you when you said that access-lists cannot be tested using the default gateway,thanks for that piece of information i have not been aware of that.

Correct Answer
cratejockey Mon, 03/12/2007 - 05:59

To prevent users from telneting to your VTY ports you should create an ACL and apply it to your VTY ports. You need to put some thought into this ACL. If you are on a LAN its not a big deal you just select the management Range and allow it access. However if you are on a WAN and may have multiple admin ranges and/or you connect via VPN you need to take all possible admin address ranges into account. A trick you'll see is that for testing purposes you usually allow all access between your actual devices Admin IP's. This can be a quick way around VTY access lists if your at a WAN site and have forgot to allow an address or two for admin purposes. Then you can simply telnet to your router and telnet to the device on the far site that you need access to. This might not be the most secure setup but it can be a convenient backdoor.

Good Luck.

www.staticnat.com

cratejockey Sat, 03/10/2007 - 14:13

I'm with the other guys who have posted so far, your on the right track. There are a few points to be aware of. When writing an ACL to protect a VLAN if you ping the gateway of the VLAN you will always get return. The ACL is applied as packets traverse the physical or logical interface. Also when you apply a deny any any against an on the inside of a VLAN devices that are distributed on across multiple switches in that VLAN will need permit ACL's written to allow communication between them. I just wrote this post as a primer for myself I hope i helps you out.

http://www.staticnat.com/WP/2007/03/07/layer-3-access-control-lists/

Good Luck

http://www.staticnat.com

Actions

This Discussion