Simple VLAN ACL Question

Unanswered Question
Mar 4th, 2009
User Badges:

Heres my setup:


Cisco 6506 IOS 12.1

VLAN1 - 172.17.0.0/16

VLAN2 - 10.1.2.0/23

HOST1 - 10.1.2.10


Id like to allow only HOST1 to VLAN1. VLAN2 should NOT be allowed to get to VLAN1. Also, Id like VLAN1 to be able to access VLAN2 as well as get out to the internet, etc. I have routing set up and everything is working fine with that. I just want to place an ACL to restrict traffic. How can I do this? This has got to be simple, but I cant quite figure it out.


Thanks!

Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 03/04/2009 - 06:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rob


It's not quite as straightforward as it sounds because you want to allow traffic initiated from vlan 1 thru to vlan 2 and presumably the return traffic as well. But you don't want vlan 2 to be able to intiate connections to vlan 1 except for 10.1.2.10.


If your traffic is a mixture of TCP/UDP then you will have to use reflexive access-lists to achieve what you want. Please see the attached link for configuration details -


http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html


Jon

Giuseppe Larosa Wed, 03/04/2009 - 06:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Rob,

extended ACLs for TCP allow to use the established keyword that allows TCP sessions if already established.


in this way you can have TCP connections started from vlan 1 permitted and TCP sessions started from vlan2 denied (because they have the TCP flags set to initiate the session)


so


access-list 101 permit tcp host 10.1.2.10 172.17.0.0 0.0.255.255

access-list 101 permit tcp 10.1.2.0 0.0.1.255 172.17.0.0 0.0.255.255 established


you can then apply the ACL inbound on vlan2


int vlan2

ip access-group 101 in


in this way only host 10.1.2.10 can start TCP sessions to net 172.17.0.0


sessions started from 172.17.0.0 to other hosts in 10.1.2.0/23 are permitted




hope to help

Giuseppe



robbyyamry Wed, 03/04/2009 - 07:48
User Badges:

Thanks for the info. Does extended ACLs for UDP allow the ESTABLISHED key as well? Would it be possible to apply the ACL to VLAN1? I only ask because we have about 20 VLANs on the LAN (all of which should not be able to access VLAN1) and Id rather not apply the access-group to all, if possible.


-Rob

Giuseppe Larosa Wed, 03/04/2009 - 08:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Rob,

unfortunately UDP has no session/socket concept so the established keyword doesn't apply.


in your case you can think to apply a single outbound ACL under SVI vlan1 instead.


Hope to help

Giuseppe


Jon Marshall Wed, 03/04/2009 - 09:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rob


Reflexive acl's do allow for TCP/UDP/ICMP traffic.


Jon

Actions

This Discussion