03-10-2007 04:22 AM - edited 03-05-2019 02:49 PM
hi
i have two vlans on running on a cisco 6509 switch.
vlan 1 is in net 10.1.0.0 255.255.240.0
vlan 2 is in net 172.31.2.0 255.255.255.0
i want to block vlan 2 from accessing vlan 1.
my access-lists are like ths
access-list 101 deny ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255
permit ip any any
access-list 101 deny icmp 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255 echo
permit icmp any any
access-list 101 deny tcp 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255 eq 23
permit tcp any any
int vlan 2
ip access-group 101 in
these ACLs are not working i have even tried to apply them out boound on vlan 2..i have also tried to configure the opposite of the ACLs and apply it on int vlan 1,trying with in and out but stil the access-list is not working.
where am i going wrong...how do i stop the vlans from communicating without disabling ip routing no my switch.
Solved! Go to Solution.
03-10-2007 12:53 PM
Hello,
Probably the best feature on the 6509 to accomplish this would be VACL (vlan access control lists). Documentation on this feature can be found at:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm#wp1055968
!Traffic you want to drop (in the input direction on vlan2)
Router(config)#access-list 101 permit ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.0.15
!Catchall acl to allow other traffic out
Router(config)#access-list 102 permit ip any any
!First identify and drop the traffic from vlan1 to vlan2
Router(config)# vlan access-map mymap 10
Router(config-access-map)# match ip address 101
Router(config-access-map)# action drop
Router(config-access-map)# exit
!Forward all other traffic
Router(config)# vlan access-map mymap 20
Router(config-access-map)# match ip address 102
Router(config-access-map)# action forward
Router(config-access-map)# exit
!Apply vlan map mymap to vlan 2
Router(config)# vlan filter mymap vlan-list 2
One last question, if you are already denying all ip traffic with the first line of your posted acl, then why do you need the next two lines denying icmp and tcp?
Hope this helps!
Frank
03-12-2007 05:59 AM
To prevent users from telneting to your VTY ports you should create an ACL and apply it to your VTY ports. You need to put some thought into this ACL. If you are on a LAN its not a big deal you just select the management Range and allow it access. However if you are on a WAN and may have multiple admin ranges and/or you connect via VPN you need to take all possible admin address ranges into account. A trick you'll see is that for testing purposes you usually allow all access between your actual devices Admin IP's. This can be a quick way around VTY access lists if your at a WAN site and have forgot to allow an address or two for admin purposes. Then you can simply telnet to your router and telnet to the device on the far site that you need access to. This might not be the most secure setup but it can be a convenient backdoor.
Good Luck.
03-10-2007 05:01 AM
It looks like your first option should work for blocking vlan2 to 1 and it should be applied inbound on vlan 2 as you have done . How have you determined it isn't working? Are you still able to ping from one vlan to the other ?
03-10-2007 05:22 AM
If you are simply trying to block all communication between the two vlans then an ACL with two statements like this should take care of it. If you have a different requirement then clarify what protocols, like ICMP/TCP, do you want to filter.
access-list 101 deny ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255
access-list 101 permit ip any any
int vlan 2
ip access-group 101 in
The above ACL would deny all IP traffic originating from 172.31.2.0/24 destined to 10.1.0.0/20 network and permit all other traffic from vlan2. When you deny/permit IP all the protocols that are part of IP suite are included in it.
I recommend you review this document to get a good understanding of how to configure ACLs.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
HTH
Sundar
03-12-2007 02:01 AM
i want to filter all ip trafic icluding telnet and icmp packets.
03-12-2007 12:50 AM
yes am still able to ping both ways with the acl applied.
03-10-2007 12:53 PM
Hello,
Probably the best feature on the 6509 to accomplish this would be VACL (vlan access control lists). Documentation on this feature can be found at:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm#wp1055968
!Traffic you want to drop (in the input direction on vlan2)
Router(config)#access-list 101 permit ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.0.15
!Catchall acl to allow other traffic out
Router(config)#access-list 102 permit ip any any
!First identify and drop the traffic from vlan1 to vlan2
Router(config)# vlan access-map mymap 10
Router(config-access-map)# match ip address 101
Router(config-access-map)# action drop
Router(config-access-map)# exit
!Forward all other traffic
Router(config)# vlan access-map mymap 20
Router(config-access-map)# match ip address 102
Router(config-access-map)# action forward
Router(config-access-map)# exit
!Apply vlan map mymap to vlan 2
Router(config)# vlan filter mymap vlan-list 2
One last question, if you are already denying all ip traffic with the first line of your posted acl, then why do you need the next two lines denying icmp and tcp?
Hope this helps!
Frank
03-12-2007 01:58 AM
i was thinking that the first ACL will only block all ip traffic but still allow tcp and icmp..so a you saying that the firts ACL is ok to block tcp and icmp
03-12-2007 04:46 AM
TCP and ICMP are sub-sets of the IP protocol stack. By blocking IP you block all protocols. Say you were wanting to just block port 80 traffic but allow all other traffic then you would write;
access-list 100 deny tcp x.x.x.x x.x.x.x x.x.x.x x.x.x.x eq 80
Hope this helps.
03-12-2007 05:52 AM
the problem is that i dont want users from the other vlan to telnet to the default gateway of another vlan..i did understand you when you said that access-lists cannot be tested using the default gateway,thanks for that piece of information i have not been aware of that.
03-12-2007 05:59 AM
To prevent users from telneting to your VTY ports you should create an ACL and apply it to your VTY ports. You need to put some thought into this ACL. If you are on a LAN its not a big deal you just select the management Range and allow it access. However if you are on a WAN and may have multiple admin ranges and/or you connect via VPN you need to take all possible admin address ranges into account. A trick you'll see is that for testing purposes you usually allow all access between your actual devices Admin IP's. This can be a quick way around VTY access lists if your at a WAN site and have forgot to allow an address or two for admin purposes. Then you can simply telnet to your router and telnet to the device on the far site that you need access to. This might not be the most secure setup but it can be a convenient backdoor.
Good Luck.
03-10-2007 02:13 PM
I'm with the other guys who have posted so far, your on the right track. There are a few points to be aware of. When writing an ACL to protect a VLAN if you ping the gateway of the VLAN you will always get return. The ACL is applied as packets traverse the physical or logical interface. Also when you apply a deny any any against an on the inside of a VLAN devices that are distributed on across multiple switches in that VLAN will need permit ACL's written to allow communication between them. I just wrote this post as a primer for myself I hope i helps you out.
http://www.staticnat.com/WP/2007/03/07/layer-3-access-control-lists/
Good Luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide