Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List Query

Hi, I have 2 layer vlans created on my core switch. These vlans are advertised on eigrp protocol running on the core switch and subsequently advertised on bgp in the routers connected to the core switch.

 

The 2 Vlans are Vlan 12 and Vlan 13. Vlan 12 is a static Vlan which is to provide IP addresses to all the servers and Vlan 13 is a static Vlan which is to provide IP addresses to the device which is communicating with the server Vlan.

 

My requirement is Vlan 13 should be totally isolated from all other Vlans and traffic except Vlan 13.

 

i.e. Vlan 13 should be reachable via Vlan 12 and Vlan 13 should be not be reachable to any other traffic or any other Vlan. Vlan 13 should be totally isolated in and out traffic both.

 

I have an access-list on Vlan 13 which is a standard access list permitting only Vlan 12 traffic in the outbound direction

 

E.g

 

int Vlan 13

ip address 10.10.10.1 255.255.255.224

ip access-group 13 out

!

!

int Vlan 12

ip address 20.20.20.1 255.255.255.224

!

!

 

access-list 13 permit 20.20.20.0 0.0.0.31

!

!
!

 

But the problem is I can ping Vlan 13 from other Vlans as source from core switch  . i.e.

 

ping ip 10.10.10.3 source Vlan 4 gives me 100% success  and I can ping Vlan 4 using Vlan13 as source.

 

If i try to ping it from outside the network, I can ping Vlan 13 interface but not the Ip addresses in that range.

 

Is the goal achieved in this case, since the access list is applied in outbound direction, I was wondering what about inbound traffic- which in a way will be achieved since outbound traffic wont be allowed to other Vlans for any inbound request.like echo will be allowed but not echo-reply to other Vlan.Just wondering if i am making sense or talking rubbish here. DO i need to make any changes to accomplish the goal to totally isolate Vlan13?

10 REPLIES

HelloNot sure i understand

Hello
Not sure i understand this:

"My requirement is Vlan 13 should be totally isolated from all other Vlans and traffic except Vlan 13.

i.e. Vlan 13 should be reachable via Vlan 12 and Vlan 13 should be not be reachable to any other traffic or any other Vlan. Vlan 13 should be totally isolated in and out traffic both"

can you be a bit clearer?

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

sorry that was a typo Vlan 13

sorry that was a typo

 

Vlan 13 should be totally isolated from all other Vlans except Vlan 12

Hellotry thisip access-list

Hello

try this

ip access-list extended VLAN13in-out
permit ip any 20.20.20.0 0.0.0.31
deny ip any any log

ip access-list extended VLAN13out-in
permit ip 20.20.20.0 0.0.0.31 any
deny ip any any log
 

int Vlan 13
ip access-group VLAN13in-out IN
ip access-group VLAN13out-in  OUT

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

I have suggested vlan acccess

I have suggested vlan acccess map....please review it..

Regards.

New Member

What is the operational

What is the operational advantage of doing this?

New Member

Well...it is handled by l2

Well...it is handled by l2 engine which definitely makes the process faster...compared to l3 engine...

Regards.

HelloVACLS are ONLY

Hello

VACLS are ONLY applicable within their own vlan not between vlans

hence why I suggested an SVI ACL

res

Paul
 

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hi,I would like 2 differ on

Hi,

I would like 2 differ on dis wid u...VACL are used to filter the traffic between different vlans.

We are using VACL in our network to large extent and facin no issues at all.

U can use traditional acl and apply them under  SVI  on l3 switch as well.

So basically its a matter of choice according to ur company network policy.

Regards.

 

HelloI didn't mean to suggest

Hello

I didn't mean to suggest that vacls are not applicable in this case, as traffic needs to prohibited in/out of one vlan.

Maybe I should have  explained myself a little better , what I meant was, when filtering within between different subnets RACLS are primarily  used on routers or L3 switches,

However if I wanted to deny a certain host to host communication in the same vlan, then I could use a VACL to accomplish this.



RACL (L3)  -can be applied on any routed interface.In this case the svi of vlan 30 defining in/out traffic)

ip access-list extended VLAN13in-out
permit ip any 20.20.20.0 0.0.0.31 any
deny ip any any log

ip access-list extended VLAN13out-in
permit ip 20.20.20.0 0.0.0.31 any
deny ip any any log

int Vlan 13
ip access-group VLAN13in-out IN
ip access-group VLAN13out-in  OUT




VACL  - Isn't applied to any interface)
ip access-list extended AllowV20
 permit ip 30.30.30.0 0.0.0.255 30.30.30.0 0.0.0.255 (allows communication between vlan 30)
 permit ip 30.30.30.0 0.0.0.255 20.20.20.0 0.0.0.255 
 permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255

vlan access-map vlan30-20 10
 action forward
 match ip address AllowV20

vlan access-map vlan30-20 99
 action drop

vlan filter vlan30-20 vlan-list 30

 

if I wanted to deny telnet on all vlans the again VACL would be applicable, as a RACL would be need to be applied on each SVI or routed interface.

 

Ip access-list extended notelnet_acl
 permit tcp any any eq telnet
 

vlan access-map notelnet 10
 action drop
 match ip address notelnet_acl
vlan access-map notelnet 99
 action forward

vlan filter notelnet vlan-list 20 30

 

I hope I have made my explanation a bit clearer!

 

res

Paul

 

 

 

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hi...Paul has suggested one

Hi...

Paul has suggested one way of doing this..i will use VACL..on L3 switch

It goes like this:

say vlan 12 subnet is x.x.x.x/24 and vlan 13 subnet is y.y.y.y/24

 

ip access-list standard Allow12To13

permit ip x.x.x.x 0.0.0.255

permit ip y.y.y.y 0.0.0.255

 

ip access-list standard DenyAllTo13

permit ip any

 

vlan access-map Allow12To13Only

match ip address Allow12To13

action forward

 

vlan access-map Allow12To13Only

match ip address DenyAllTo13

action drop

vlan filter Allow12To13Only vlan-list 13

 

Now traffic coming on vlan 13 will be filtered and matched against the access map  and allow only subnet belonging to vlan 12.

Please feel free to post any queries about this.

Regards.

105
Views
0
Helpful
10
Replies
CreatePlease login to create content