cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
378
Views
0
Helpful
5
Replies

Simple VLAN ACL Question

robbyyamry
Level 1
Level 1

Heres my setup:

Cisco 6506 IOS 12.1

VLAN1 - 172.17.0.0/16

VLAN2 - 10.1.2.0/23

HOST1 - 10.1.2.10

Id like to allow only HOST1 to VLAN1. VLAN2 should NOT be allowed to get to VLAN1. Also, Id like VLAN1 to be able to access VLAN2 as well as get out to the internet, etc. I have routing set up and everything is working fine with that. I just want to place an ACL to restrict traffic. How can I do this? This has got to be simple, but I cant quite figure it out.

Thanks!

Rob

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Rob

It's not quite as straightforward as it sounds because you want to allow traffic initiated from vlan 1 thru to vlan 2 and presumably the return traffic as well. But you don't want vlan 2 to be able to intiate connections to vlan 1 except for 10.1.2.10.

If your traffic is a mixture of TCP/UDP then you will have to use reflexive access-lists to achieve what you want. Please see the attached link for configuration details -

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

Jon

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Rob,

extended ACLs for TCP allow to use the established keyword that allows TCP sessions if already established.

in this way you can have TCP connections started from vlan 1 permitted and TCP sessions started from vlan2 denied (because they have the TCP flags set to initiate the session)

so

access-list 101 permit tcp host 10.1.2.10 172.17.0.0 0.0.255.255

access-list 101 permit tcp 10.1.2.0 0.0.1.255 172.17.0.0 0.0.255.255 established

you can then apply the ACL inbound on vlan2

int vlan2

ip access-group 101 in

in this way only host 10.1.2.10 can start TCP sessions to net 172.17.0.0

sessions started from 172.17.0.0 to other hosts in 10.1.2.0/23 are permitted

hope to help

Giuseppe

Thanks for the info. Does extended ACLs for UDP allow the ESTABLISHED key as well? Would it be possible to apply the ACL to VLAN1? I only ask because we have about 20 VLANs on the LAN (all of which should not be able to access VLAN1) and Id rather not apply the access-group to all, if possible.

-Rob

Hello Rob,

unfortunately UDP has no session/socket concept so the established keyword doesn't apply.

in your case you can think to apply a single outbound ACL under SVI vlan1 instead.

Hope to help

Giuseppe

Rob

Reflexive acl's do allow for TCP/UDP/ICMP traffic.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco