06-14-2010 12:11 PM - edited 03-06-2019 11:34 AM
I am trying to assign an ACL to a management VLAN so that no traffic can tranverse between the managed and management networks. This is the configuration that I used.
access-list 100 deny ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny ip 10.255.255.0 0.0.0.255 any log
interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
Solved! Go to Solution.
06-14-2010 01:34 PM
If it's a windows machine, do a traceroute to verify the path that is taking.
i.e
tracert 4.2.2.2
Federico.
06-14-2010 12:13 PM
Hi,
If you apply those ACLs, no IP traffic at all will traverse the interface because there's an implicit deny everything else at the end of the ACL.
If you implement an ACL, there must be a permit statement, otherwise ALL traffic is denied.
Federico.
06-14-2010 12:19 PM
Ok, That makes sense. So how do you create an Ingress/Egress filter for a managment VLAN? Mainly I am strictly concerned with not allowing any traffic what-so-ever to be routed by the 3750 to or from the management network. I want it completely isolated. Thanks for the help in this.
06-14-2010 12:23 PM
You need to define in the ACLs what should the management VLAN have access to.
After permitting that traffic, apply the deny statements that you posted before.
i.e
If the management VLAN needs access to host x.x.x.x
then, the ACL should have a ''permit'' statement as the first entry, and everything not specified in the ACL will be denied (by the implicit rule).
Federico.
06-14-2010 12:29 PM
I don't think I explained this correctly. I'm using the 3750 as a default gateway for several networks before bringing them into a firewall to get connectivity to the WAN. I have enabled ip routing on the switch. What I am trying to do is allow all of the equipment on the management vlan to talk and not allow them to get routed nor allow anything from the other vlans to get inside of it. So do I have to permit 10.255.255.0 traffic to talk to 10.255.255.0 traffic and then deny everything else? Thanks for your patience.
06-14-2010 12:36 PM
Ok,
The 3750 is the default gateway for some networks (doing IP routing).
The management VLAN is 10.255.255.0/24
If you do the following:
access-list 100 deny ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny ip 10.255.255.0 0.0.0.255 any log
interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out
What is going to happen is that no traffic can get in/get out the management VLAN.
In other words, the 10.255.255.x will not be able to send traffic out the management VLAN
and will not be able to receive traffic from outside the management VLAN.
Communication inside the management VLAN will not be affected by the ACL.
Is this the behavior that you want?
Federico.
06-14-2010 12:39 PM
Yes, absolutely. Unfortunately it is not working. I have a test workstation on the management network and it is having no problem with getting out to the internet.
06-14-2010 12:48 PM
Charles,
Remove your ACLs and just leave this configuration:
access-list 100 deny ip 10.255.255.0 0.0.0.255 any log
int vlan 30
ip access-group 100 in
Then, check if you can get to the Internet from the management workstation.
(if you still can, let me know the IP of the PC).
Federico.
06-14-2010 01:03 PM
Yeah, it's still working unfortunately. The ip address of the computer is 10.255.255.2/24.
06-14-2010 01:19 PM
So, you have an ACL denying the traffic under VLAN 30 and traffic is still flowing...
This is the only path the traffic has to get out correct?
Can you make sure the packets are indeed going through Interface VLAN 30?
access-list 105 permit ip host 10.255.255.2 any
inter vlan 30
ip access-group 105 in
Then, when you send traffic again, you should see hitcounts in this ACE incrementing everytime.
Just to make sure, traffic is going through.
Federico.
06-14-2010 01:31 PM
I got only one hit from hitting multiple different websites. That doesn't make much sense. The workstation is directly connected to the 3750 and the port is configured for vlan 30. It just doesn't make sense that the traffic is still flowing.
06-14-2010 01:34 PM
If it's a windows machine, do a traceroute to verify the path that is taking.
i.e
tracert 4.2.2.2
Federico.
06-14-2010 01:48 PM
Thanks alot for your help. I had the default gateway on the computer of the firewall which is also connected to the management network. I hadn't turned of the routing for that port yet due to testing so I ran into a couple of problems at the same time. Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: