Seperate L3 VLANS with VLAN access-maps

Unanswered Question
Jul 4th, 2012
User Badges:

Hi guys,


the situation:


I've 6 vlan's

11,21,41 production vlans

10,20,40 lab vlans


They are all connected (routed) on a 3750 stack


I would like to seperate those two groups from each other using VLAN access-maps (or acl if it works better) and block all traffic exept http/s,rdp


I've managed to block all traffic with this config:


vlan access-map VACL_L3SEP 10

action drop

match ip address ACL_SEP

vlan access-map VACL_L3SEP 20

action forward

match ip address ACL_PERMIT_ALL



ip access-list extended ACL_PERMIT_ALL

permit ip any any

ip access-list extended ACL_SEP

permit ip 192.168.11.0 0.0.0.255 any

permit ip 192.168.21.0 0.0.0.255 any

permit ip 192.168.41.0 0.0.0.255 any

permit ip any 192.168.11.0 0.0.0.255

permit ip any 192.168.21.0 0.0.0.255

permit ip any 192.168.41.0 0.0.0.255


At the moment I'm a blockhead so I tried various config's to exept http/s and RDP but I can't achive the desired results

Some an idea?


Maybe ACL's are better used for it ?


Thanks for any help on this


Regards

Soeren

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Hari Haran S M Thu, 07/05/2012 - 01:17
User Badges:
  • Cisco Employee,

Hi Soeren,


If you would like to block traffic between seperate vlan's, it's better if you do it through extended ACL's [where you can specify the port number to block particular port as well] applied on the SVI interface. VLAN access map will be helpful when you want to block traffic within the same vlan.


Regards,

Hari

Ganesh Hariharan Thu, 07/05/2012 - 01:42
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Soeren Kromrey wrote:


Hi guys,


the situation:


I've 6 vlan's

11,21,41 production vlans

10,20,40 lab vlans


They are all connected (routed) on a 3750 stack


I would like to seperate those two groups from each other using VLAN access-maps (or acl if it works better) and block all traffic exept http/s,rdp


I've managed to block all traffic with this config:


vlan access-map VACL_L3SEP 10

action drop

match ip address ACL_SEP

vlan access-map VACL_L3SEP 20

action forward

match ip address ACL_PERMIT_ALL



ip access-list extended ACL_PERMIT_ALL

permit ip any any

ip access-list extended ACL_SEP

permit ip 192.168.11.0 0.0.0.255 any

permit ip 192.168.21.0 0.0.0.255 any

permit ip 192.168.41.0 0.0.0.255 any

permit ip any 192.168.11.0 0.0.0.255

permit ip any 192.168.21.0 0.0.0.255

permit ip any 192.168.41.0 0.0.0.255


At the moment I'm a blockhead so I tried various config's to exept http/s and RDP but I can't achive the desired results

Some an idea?


Maybe ACL's are better used for it ?


Thanks for any help on this


Regards

Soeren


Soeren,


Agreed with Hari post ..Vlan access map is to play within the vlan traffic but extended acl can be used for blocking for intervlan traffic with port and protocol.


check out the below link for applying extended acl..


http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v4013/command/reference/ext_acl.pdf



Hope to Help !!


Regards

Ganeshh Iyer


Rate if it Helps ....

soeren.kromrey Thu, 07/05/2012 - 04:20
User Badges:

Hi Hari, Hi Ganeshh


thanks for your comments, if I'll use ext ACL's to filter the traffic would this config achive my goal


interface vlan 10

     ip address 192.168.10.1 255.255.255.0

     access-group aclvl10 in


interface vlan 20

     ip address 192.168.20.1 255.255.255.0

     access-group aclvl20 in


interface vlan 40

     ip address 192.168.40.1 255.255.255.0

     access-group aclvl40 in


access-list extended v10

    permit tcp any 192.168.10.0 0.0.0.255 eq 3389

    permit tcp any 192.168.10.0 0.0.0.255 eq 443

    permit tcp any 192.168.10.0 0.0.0.255 eq 80

    permit tcp 192.168.10.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.10.0 0.0.0.255 eq 443 any

    permit tcp 192.168.10.0 0.0.0.255 eq 80 any

    deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.10.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.255

    permit ip any any

    deny any


access-list extended v20

    permit tcp any 192.168.20.0 0.0.0.255 eq 3389

    permit tcp any 192.168.20.0 0.0.0.255 eq 443

    permit tcp any 192.168.20.0 0.0.0.255 eq 80

    permit tcp 192.168.20.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.20.0 0.0.0.255 eq 443 any

    permit tcp 192.168.20.0 0.0.0.255 eq 80 any

    deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.20.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.20.0 0.0.0.255

    permit ip any any

    deny any


access-list extended v40

    permit tcp any 192.168.40.0 0.0.0.255 eq 3389

    permit tcp any 192.168.40.0 0.0.0.255 eq 443

    permit tcp any 192.168.40.0 0.0.0.255 eq 80

    permit tcp 192.168.40.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.40.0 0.0.0.255 eq 443 any

    permit tcp 192.168.40.0 0.0.0.255 eq 80 any

    deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.40.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.40.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255

    permit ip any any

    deny any


  • only http,https and rdp are allowed between vlan 10,20,30 and vlan 11,21,41 all other traffic between them is blocked
  • all traffic to and from other vlans (e.g. vlan 10 <--> 20 or 11<- ->12 or new vlan 2 <--> 10)  is permitted


Correct ?


Thx for your help in advance

Ganesh Hariharan Thu, 07/05/2012 - 06:25
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Soeren Kromrey wrote:


Hi Hari, Hi Ganeshh

thanks for your comments, if I'll use ext ACL's to filter the traffic would this config achive my goal

interface vlan 10

     ip address 192.168.10.1 255.255.255.0

     access-group aclvl10 in

interface vlan 20

     ip address 192.168.20.1 255.255.255.0

     access-group aclvl20 in

interface vlan 40

     ip address 192.168.40.1 255.255.255.0

     access-group aclvl40 in

access-list extended v10

    permit tcp any 192.168.10.0 0.0.0.255 eq 3389

    permit tcp any 192.168.10.0 0.0.0.255 eq 443

    permit tcp any 192.168.10.0 0.0.0.255 eq 80

    permit tcp 192.168.10.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.10.0 0.0.0.255 eq 443 any

    permit tcp 192.168.10.0 0.0.0.255 eq 80 any

    deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.10.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.255

    permit ip any any

    deny any

access-list extended v20

    permit tcp any 192.168.20.0 0.0.0.255 eq 3389

    permit tcp any 192.168.20.0 0.0.0.255 eq 443

    permit tcp any 192.168.20.0 0.0.0.255 eq 80

    permit tcp 192.168.20.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.20.0 0.0.0.255 eq 443 any

    permit tcp 192.168.20.0 0.0.0.255 eq 80 any

    deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.20.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.20.0 0.0.0.255

    permit ip any any

    deny any

access-list extended v40

    permit tcp any 192.168.40.0 0.0.0.255 eq 3389

    permit tcp any 192.168.40.0 0.0.0.255 eq 443

    permit tcp any 192.168.40.0 0.0.0.255 eq 80

    permit tcp 192.168.40.0 0.0.0.255 eq 3389 any

    permit tcp 192.168.40.0 0.0.0.255 eq 443 any

    permit tcp 192.168.40.0 0.0.0.255 eq 80 any

    deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255

    deny ip 192.168.40.0 0.0.0.255 192.168.21.0 0.0.0.255

    deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255

    deny ip 192.168.21.0 0.0.0.255 192.168.40.0 0.0.0.255

    deny ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255

    permit ip any any

    deny any

  • only http,https and rdp are allowed between vlan 10,20,30 and vlan 11,21,41 all other traffic between them is blocked
  • all traffic to and from other vlans (e.g. vlan 10 <--> 20 or 11<- ->12 or new vlan 2 <--> 10)  is permitted

Correct ?

Thx for your help in advance


Hello ,


I am bit confused with your requirement..do you want only http,https and 3389 is allowed between 10,20,30 and rest shoudl be blocked. Then try the below acl and apply this on interface vlan 10,20 and 30 in direction


For example:-


access-list extended v10

    permit tcp any vlan 20 subnet eq 3389

    permit tcp any vlan 20 eq 443

    permit tcp any vlan 20 eq 80

    permit tcp vlan 30 eq 3389 any

    permit tcp vlan 30 eq 443 any

    permit tcp vlan 30 eq 80 any

    deny ip any any


Correct me if i am wrong with your requirement and make sure you are applying under controlled change window.


Regards

Ganeshh Iyer

Rate if it Helps ...

soeren.kromrey Thu, 07/05/2012 - 07:34
User Badges:

Yep, this is one of my hidden talents, to confuse everyone around me


More detail:

We have in sum 8 vlans

Vlan 11 Server Production

Vlan 21 Clients Production

Vlan 41 Printer Production


Vlan 2 Managment

Vlan 27 Internet Edge ( Default Route)


Vlan 10 Server Migration

Vlan 20 Clients Migration

Vlan 40 Printer Migration



What I want to achive is,


- permit all Traffic between vlan 11,21,41,2,27

- permit all Traffic between vlan 10,20,40,2,27

- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)

-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....


Hope that bring's a Little light to the darkness


P.s. Apologize for Letter Case up & down, m. iPhone is Set to German locale and gramma correction


Regards

Soeren





Sent from Cisco Technical Support iPhone App

Ganesh Hariharan Fri, 07/06/2012 - 00:46
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Soeren Kromrey wrote:


Yep, this is one of my hidden talents, to confuse everyone around me


More detail:

We have in sum 8 vlans

Vlan 11 Server Production

Vlan 21 Clients Production

Vlan 41 Printer Production


Vlan 2 Managment

Vlan 27 Internet Edge ( Default Route)


Vlan 10 Server Migration

Vlan 20 Clients Migration

Vlan 40 Printer Migration



What I want to achive is,


- permit all Traffic between vlan 11,21,41,2,27

- permit all Traffic between vlan 10,20,40,2,27

- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)

-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....


Hope that bring's a Little light to the darkness


P.s. Apologize for Letter Case up & down, m. iPhone is Set to German locale and gramma correction


Regards

Soeren





Sent from Cisco Technical Support iPhone App


Hello Soeren,


Thanks for putting a clear picture ...Here you go ...


- permit all Traffic between vlan 11,21,41,2,27

- permit all Traffic between vlan 10,20,40,2,27

- permit rdp, http, https between vlan (10,20,40) <--> (11,21,41) so that I can rdp http https between the two Ranges (e.g rdp from 21 to 10 or http from 20 to 41)

-Block all other Traffic between (11,21,41) <--> (10,20,40) e.g. Dns, ad, Kerberos etc....



Let concentrate on example for one of the SVI say VLAN 11


access-list extended v10

    permit tcp any x.x.x.x ( Vlan 10 subnet )eq 3389

    permit tcp any x.x.x.x ( Vlan 10 subnet ) eq 443

    permit tcp any x.x.x.x ( Vlan 10 subnet )eq 80

    permit tcp any vlan x.x.x.x ( Vlan 20 subnet ) 3389 any

    permit tcp any x.x.x.x ( Vlan 20 subnet )eq 443 any

    permit tcp any x.x.x.x ( Vlan 20 subnet )eq 80 any

    permit tcp any vlan x.x.x.x ( Vlan 30 subnet ) 3389 any

    permit tcp any x.x.x.x ( Vlan 30 subnet )eq 443 any

    permit tcp any x.x.x.x ( Vlan 30 subnet )eq 80 any

    Permit ip any x.x.x.x ( vlan 21subnet)

    Permit ip any x.x.x.x ( vlan 41subnet)

    deny ip any any


Apply the above sample on in direction of the SVI for vlan 11 and createthe same type acl for other vlan and apply that in in direction.


I hope the above answer your reqirement.


Ganeshh Iyer


Rate if it Helps ....

soeren.kromrey Mon, 07/09/2012 - 21:39
User Badges:

Hi Ganeshh,


thx for your suggestion.



The problem I encoutered with your ACL was, that I would have to permit traffic to my vlan 27 (which route to the Internet Edge) for every protocol I would like to use (e.g. http, ftp, https, smtp....). This would have led to very blown up ACL so I accomplished my needs with the following config:


Examples for vlan10 & vlan 11 applied inbound direction


ip access-list extended VLAN10_IN

    permit tcp any eq 3389

    permit tcp any eq 80

    permit tcp any eq 443

    permit tcp any eq ftp

    permit tcp any eq 20

    permit tcp eq 3389 any

    permit tcp eq 80 any

    permit tcp eq 443 any

    permit tcp eq ftp any

    permit tcp eq 20 any

    deny ip

    deny ip

    deny ip

    permit ip any any


ip access-list extended VLAN11_IN

    permit tcp any eq 3389

    permit tcp any eq 80

    permit tcp any eq 443

    permit tcp any eq ftp

    permit tcp any eq 20

    permit tcp eq 3389 any

    permit tcp eq 80 any

    permit tcp eq 443 any

    permit tcp eq ftp any

    permit tcp eq 20 any

    deny ip

    deny ip

    deny ip

    permit ip any any


With this there is no need for specifing single ports for IE access.


Nevertheless thx for your thoughts which led me to the right solution



Cheers

Soeren

Actions

This Discussion

Related Content