03-04-2009 06:26 AM - edited 03-06-2019 04:22 AM
Heres my setup:
Cisco 6506 IOS 12.1
VLAN1 - 172.17.0.0/16
VLAN2 - 10.1.2.0/23
HOST1 - 10.1.2.10
Id like to allow only HOST1 to VLAN1. VLAN2 should NOT be allowed to get to VLAN1. Also, Id like VLAN1 to be able to access VLAN2 as well as get out to the internet, etc. I have routing set up and everything is working fine with that. I just want to place an ACL to restrict traffic. How can I do this? This has got to be simple, but I cant quite figure it out.
Thanks!
Rob
03-04-2009 06:45 AM
Rob
It's not quite as straightforward as it sounds because you want to allow traffic initiated from vlan 1 thru to vlan 2 and presumably the return traffic as well. But you don't want vlan 2 to be able to intiate connections to vlan 1 except for 10.1.2.10.
If your traffic is a mixture of TCP/UDP then you will have to use reflexive access-lists to achieve what you want. Please see the attached link for configuration details -
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html
Jon
03-04-2009 06:48 AM
Hello Rob,
extended ACLs for TCP allow to use the established keyword that allows TCP sessions if already established.
in this way you can have TCP connections started from vlan 1 permitted and TCP sessions started from vlan2 denied (because they have the TCP flags set to initiate the session)
so
access-list 101 permit tcp host 10.1.2.10 172.17.0.0 0.0.255.255
access-list 101 permit tcp 10.1.2.0 0.0.1.255 172.17.0.0 0.0.255.255 established
you can then apply the ACL inbound on vlan2
int vlan2
ip access-group 101 in
in this way only host 10.1.2.10 can start TCP sessions to net 172.17.0.0
sessions started from 172.17.0.0 to other hosts in 10.1.2.0/23 are permitted
hope to help
Giuseppe
03-04-2009 07:48 AM
Thanks for the info. Does extended ACLs for UDP allow the ESTABLISHED key as well? Would it be possible to apply the ACL to VLAN1? I only ask because we have about 20 VLANs on the LAN (all of which should not be able to access VLAN1) and Id rather not apply the access-group to all, if possible.
-Rob
03-04-2009 08:17 AM
Hello Rob,
unfortunately UDP has no session/socket concept so the established keyword doesn't apply.
in your case you can think to apply a single outbound ACL under SVI vlan1 instead.
Hope to help
Giuseppe
03-04-2009 09:59 AM
Rob
Reflexive acl's do allow for TCP/UDP/ICMP traffic.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: