ACL between 2 vlans

Unanswered Question
Feb 27th, 2009
User Badges:

I am looking to create a secure vlan where only specific vlans (or hosts) can access it on a given port. For example


int vlan10

ip address 192.168.1.1 255.255.255.0


And only the following can access it:


192.168.20.0\24 port 3389

192.168.30.0\24 port 22, 25, 80


vlan10 should be able to access the above segments as well.


Is this correct:


access-list 100 permit tcp 192.168.20.0 255.255.255.0 any eq 3389

access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 22

access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 25

access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 80


int vlan10

ip address 192.168.1.1 255.255.255.0

access-group in 100

access-group out 100


Question:

access-group in 100 means that all traffic that means the acl 100 condition is permitted inbound to the vlan, is that correct? and access-group out 100 means that acl100 is permitted on the outbound, is that correct?


Any examples online?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
adamclarkuk_2 Fri, 02/27/2009 - 09:48
User Badges:
  • Silver, 250 points or more

Inbound is traffic coming from a host within the VLAN to the SVI and outbound means traffic from other networks entering your vlan


Take your SVI 10 as an example:-


interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group vlantest in


ip access-list extended vlantest

permit icmp 192.168.1.0 0.0.0.255 any


You can see that this ACL has been applied inbound and when I ping from host 192.168.1.2 to any other IP address (172.16.0.1 in this case ) you will see the hit count going up as below :-


R0#sh ip access-lists

Extended IP access list vlantest

10 permit icmp 192.168.1.0 0.0.0.255 any (15 matches)



Hope that helps

Giuseppe Larosa Fri, 02/27/2009 - 09:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Roni,

you cannot apply the same extended ACL in both directions one of the two will be blocking all traffic.




Usually, the ACL can be thought as inbound on the secure Vlan.


the following is an example:

notice that TCP ports in a socket are different.


So first of all we need to understand where the well known port is.

the servers are in the secure vlan so the TCP well known port is in position source just after the source portion of the ACL line


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 3389 192.168.20.0 0.0.0.255


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 22 192.168.20.0 0.0.0.255


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 25 192.168.20.0 0.0.0.255


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 80 192.168.20.0 0.0.0.255


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 3389 192.168.30.0 0.0.0.255


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 22 192.168.30.0 0.0.0.255


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 25 192.168.30.0 0.0.0.255


access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 80 192.168.30.0 0.0.0.255


you may want to permit other traffic like icmp


at the end you apply the ACL inbound on vlan 10 and only inbound


int vlan 10

access-group 131 in


if you examine a TCP socket it is something like


192.168.1.100:80 --- 192.168.20.33:3023

well known dynamic


in one direction traffic have

source 192.168.20.33 dest 192.168.1.100


the tcp header have the ports that follow the position of the addresses


for this reason the same extended ACL cannot match on both directions unless contain the double of lines with socket inverted


Hope to help

Giuseppe


ronshuster Fri, 02/27/2009 - 11:34
User Badges:

Giuseppe, thanks for the feedback, this helps a lot!


So based on the access-group you defined, ie:


int vlan 10

access-group 131 in


this means that 192.168.1.0 0.0.0.255 can only access the destination IP's based on the ACL (one way).. so outgoing traffic is permitted on vlan10 based on the ACL condition. Is that correct?


But what would be the behavior of traffic from the vlans (192.168.20.0 & 192.168.30.0) to vlan10. As far as I see based on the access-group, it is all permitted, is that right?


If traffic from 192.168.20.0 & 192.168.30.0 should be restriced to vlan10, is there a need for another set of ACL and apply it to vlan10 access-group out ?

Giuseppe Larosa Fri, 02/27/2009 - 12:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ron,

no strict need of a second ACL because successful communication require bidirectional connectivity.

to make an example an icmp packet can reach server 192.168.10.100 even with an arbitrary source but the answer is filtered by inbound ACL 131.


I understand for better security it can help to have also an outbound acl.

But if an outbound ACL is felt as needed it has to be different from the ACL applied inbound as I explained in my first post.


Hope to help

Giuseppe


ronshuster Fri, 02/27/2009 - 12:37
User Badges:

What I'm saying is that none of the internal vlans (192.168.20, 30) should be able to access the secure vlan (192.168.1.1) given it's a secure vlan. That secure vlan should only be able to access specific vlans but no internal vlans should be able to initiate traffic to it. How does that change your answeR?

Actions

This Discussion