cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5825
Views
0
Helpful
12
Replies

Assigning Ingress/Egress ACL to Vlan

charles.e.davis
Level 1
Level 1

I am trying to assign an ACL to a management VLAN so that no traffic can tranverse between the managed and management networks.  This is the configuration that I used.

access-list 100 deny   ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny   ip 10.255.255.0 0.0.0.255 any log

interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp

1 Accepted Solution

Accepted Solutions

If it's a windows machine, do a traceroute to verify the path that is taking.

i.e

tracert 4.2.2.2

Federico.

View solution in original post

12 Replies 12

Hi,

If you apply those ACLs, no IP traffic at all will traverse the interface because there's an implicit deny everything else at the end of the ACL.

If you implement an ACL, there must be a permit statement, otherwise ALL traffic is denied.

Federico.

Ok, That makes sense.  So how do you create an Ingress/Egress filter for a managment VLAN?  Mainly I am strictly concerned with not allowing any traffic what-so-ever to be routed by the 3750 to or from the management network.  I want it completely isolated.  Thanks for the help in this.

You need to define in the ACLs what should the management VLAN have access to.

After permitting that traffic, apply the deny statements that you posted before.

i.e

If the management VLAN needs access to host x.x.x.x

then, the ACL should have a ''permit'' statement as the first entry, and everything not specified in the ACL will be denied (by the implicit rule).

Federico.

I don't think I explained this correctly.  I'm using the 3750 as a default gateway for several networks before bringing them into a firewall to get connectivity to the WAN.  I have enabled ip routing on the switch.  What I am trying to do is allow all of the equipment on the management vlan to talk and not allow them to get routed nor allow anything from the other vlans to get inside of it.  So do I have to permit 10.255.255.0 traffic to talk to 10.255.255.0 traffic and then deny everything else?  Thanks for your patience.

Ok,
The 3750 is the default gateway for some networks (doing IP routing).
The management VLAN is 10.255.255.0/24

If you do the following:

access-list 100 deny   ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny   ip 10.255.255.0 0.0.0.255 any log

interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out

What is going to happen is that no traffic can get in/get out the management VLAN.
In other words, the 10.255.255.x will not be able to send traffic out the management VLAN
and will not be able to receive traffic from outside the management VLAN.
Communication inside the management VLAN will not be affected by the ACL.


Is this the behavior that you want?

Federico.

Yes, absolutely.  Unfortunately it is not working.  I have a test workstation on the management network and it is having no problem with getting out to the internet.

Charles,

Remove your ACLs and just leave this configuration:

access-list 100 deny ip 10.255.255.0 0.0.0.255 any log

int vlan 30
ip access-group 100 in

Then, check if you can get to the Internet from the management workstation.

(if you still can, let me know the IP of the PC).

Federico.

Yeah, it's still working unfortunately.  The ip address of the computer is 10.255.255.2/24.

So, you have an ACL denying the traffic under VLAN 30 and traffic is still flowing...
This is the only path the traffic has to get out correct?
Can you make sure the packets are indeed going through Interface VLAN 30?

access-list 105 permit ip host 10.255.255.2 any
inter vlan 30
ip access-group 105 in

Then, when you send traffic again, you should see hitcounts in this ACE incrementing everytime.
Just to make sure, traffic is going through.

Federico.

I got only one hit from hitting multiple different websites.  That doesn't make much sense.  The workstation is directly connected to the 3750 and the port is configured for vlan 30.  It just doesn't make sense that the traffic is still flowing.

If it's a windows machine, do a traceroute to verify the path that is taking.

i.e

tracert 4.2.2.2

Federico.

Thanks alot for your help.  I had the default gateway on the computer of the firewall which is also connected to the management network.  I hadn't turned of the routing for that port yet due to testing so I ran into a couple of problems at the same time.  Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: