Assigning Ingress/Egress ACL to Vlan

Answered Question
Jun 14th, 2010

I am trying to assign an ACL to a management VLAN so that no traffic can tranverse between the managed and management networks.  This is the configuration that I used.

access-list 100 deny   ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny   ip 10.255.255.0 0.0.0.255 any log

interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp

I have this problem too.
0 votes
Correct Answer by coto.fusionet about 3 years 10 months ago

If it's a windows machine, do a traceroute to verify the path that is taking.

i.e

tracert 4.2.2.2

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
coto.fusionet Mon, 06/14/2010 - 12:13

Hi,

If you apply those ACLs, no IP traffic at all will traverse the interface because there's an implicit deny everything else at the end of the ACL.

If you implement an ACL, there must be a permit statement, otherwise ALL traffic is denied.

Federico.

charles.e.davis... Mon, 06/14/2010 - 12:19

Ok, That makes sense.  So how do you create an Ingress/Egress filter for a managment VLAN?  Mainly I am strictly concerned with not allowing any traffic what-so-ever to be routed by the 3750 to or from the management network.  I want it completely isolated.  Thanks for the help in this.

coto.fusionet Mon, 06/14/2010 - 12:23

You need to define in the ACLs what should the management VLAN have access to.

After permitting that traffic, apply the deny statements that you posted before.

i.e

If the management VLAN needs access to host x.x.x.x

then, the ACL should have a ''permit'' statement as the first entry, and everything not specified in the ACL will be denied (by the implicit rule).

Federico.

charles.e.davis... Mon, 06/14/2010 - 12:29

I don't think I explained this correctly.  I'm using the 3750 as a default gateway for several networks before bringing them into a firewall to get connectivity to the WAN.  I have enabled ip routing on the switch.  What I am trying to do is allow all of the equipment on the management vlan to talk and not allow them to get routed nor allow anything from the other vlans to get inside of it.  So do I have to permit 10.255.255.0 traffic to talk to 10.255.255.0 traffic and then deny everything else?  Thanks for your patience.

coto.fusionet Mon, 06/14/2010 - 12:36

Ok,
The 3750 is the default gateway for some networks (doing IP routing).
The management VLAN is 10.255.255.0/24

If you do the following:

access-list 100 deny   ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny   ip 10.255.255.0 0.0.0.255 any log

interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out

What is going to happen is that no traffic can get in/get out the management VLAN.
In other words, the 10.255.255.x will not be able to send traffic out the management VLAN
and will not be able to receive traffic from outside the management VLAN.
Communication inside the management VLAN will not be affected by the ACL.


Is this the behavior that you want?

Federico.

charles.e.davis... Mon, 06/14/2010 - 12:39

Yes, absolutely.  Unfortunately it is not working.  I have a test workstation on the management network and it is having no problem with getting out to the internet.

coto.fusionet Mon, 06/14/2010 - 12:48

Charles,

Remove your ACLs and just leave this configuration:

access-list 100 deny ip 10.255.255.0 0.0.0.255 any log

int vlan 30
ip access-group 100 in

Then, check if you can get to the Internet from the management workstation.

(if you still can, let me know the IP of the PC).

Federico.

coto.fusionet Mon, 06/14/2010 - 13:19

So, you have an ACL denying the traffic under VLAN 30 and traffic is still flowing...
This is the only path the traffic has to get out correct?
Can you make sure the packets are indeed going through Interface VLAN 30?

access-list 105 permit ip host 10.255.255.2 any
inter vlan 30
ip access-group 105 in

Then, when you send traffic again, you should see hitcounts in this ACE incrementing everytime.
Just to make sure, traffic is going through.

Federico.

charles.e.davis... Mon, 06/14/2010 - 13:31

I got only one hit from hitting multiple different websites.  That doesn't make much sense.  The workstation is directly connected to the 3750 and the port is configured for vlan 30.  It just doesn't make sense that the traffic is still flowing.

Correct Answer
coto.fusionet Mon, 06/14/2010 - 13:34

If it's a windows machine, do a traceroute to verify the path that is taking.

i.e

tracert 4.2.2.2

Federico.

charles.e.davis... Mon, 06/14/2010 - 13:48

Thanks alot for your help.  I had the default gateway on the computer of the firewall which is also connected to the management network.  I hadn't turned of the routing for that port yet due to testing so I ran into a couple of problems at the same time.  Thanks again.

Actions

Login or Register to take actions

This Discussion

Posted June 14, 2010 at 12:11 PM
Stats:
Replies:12 Avg. Rating:5
Views:2156 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
70
69
55