Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
5
Helpful
5
Replies

ACL between 2 vlans

ronshuster
Level 1
Level 1

‎02-27-2009 09:39 AM - edited ‎03-06-2019 04:18 AM

I am looking to create a secure vlan where only specific vlans (or hosts) can access it on a given port. For example

int vlan10

ip address 192.168.1.1 255.255.255.0

And only the following can access it:

192.168.20.0\24 port 3389

192.168.30.0\24 port 22, 25, 80

vlan10 should be able to access the above segments as well.

Is this correct:

access-list 100 permit tcp 192.168.20.0 255.255.255.0 any eq 3389

access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 22

access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 25

access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 80

int vlan10

ip address 192.168.1.1 255.255.255.0

access-group in 100

access-group out 100

Question:

access-group in 100 means that all traffic that means the acl 100 condition is permitted inbound to the vlan, is that correct? and access-group out 100 means that acl100 is permitted on the outbound, is that correct?

Any examples online?

Labels:
0 Helpful
5 Replies 5

adamclarkuk_2
Level 4
Level 4

‎02-27-2009 09:48 AM

Inbound is traffic coming from a host within the VLAN to the SVI and outbound means traffic from other networks entering your vlan

Take your SVI 10 as an example:-

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group vlantest in

ip access-list extended vlantest

permit icmp 192.168.1.0 0.0.0.255 any

You can see that this ACL has been applied inbound and when I ping from host 192.168.1.2 to any other IP address (172.16.0.1 in this case ) you will see the hit count going up as below :-

R0#sh ip access-lists

Extended IP access list vlantest

10 permit icmp 192.168.1.0 0.0.0.255 any (15 matches)

Hope that helps

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-27-2009 09:54 AM

Hello Roni,

you cannot apply the same extended ACL in both directions one of the two will be blocking all traffic.

Usually, the ACL can be thought as inbound on the secure Vlan.

the following is an example:

notice that TCP ports in a socket are different.

So first of all we need to understand where the well known port is.

the servers are in the secure vlan so the TCP well known port is in position source just after the source portion of the ACL line

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 3389 192.168.20.0 0.0.0.255

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 22 192.168.20.0 0.0.0.255

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 25 192.168.20.0 0.0.0.255

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 80 192.168.20.0 0.0.0.255

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 3389 192.168.30.0 0.0.0.255

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 22 192.168.30.0 0.0.0.255

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 25 192.168.30.0 0.0.0.255

access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 80 192.168.30.0 0.0.0.255

you may want to permit other traffic like icmp

at the end you apply the ACL inbound on vlan 10 and only inbound

int vlan 10

access-group 131 in

if you examine a TCP socket it is something like

192.168.1.100:80 --- 192.168.20.33:3023

well known dynamic

in one direction traffic have

source 192.168.20.33 dest 192.168.1.100

the tcp header have the ports that follow the position of the addresses

for this reason the same extended ACL cannot match on both directions unless contain the double of lines with socket inverted

Hope to help

Giuseppe

ronshuster
Level 1
Level 1
In response to Giuseppe Larosa

‎02-27-2009 11:34 AM

Giuseppe, thanks for the feedback, this helps a lot!

So based on the access-group you defined, ie:

int vlan 10

access-group 131 in

this means that 192.168.1.0 0.0.0.255 can only access the destination IP's based on the ACL (one way).. so outgoing traffic is permitted on vlan10 based on the ACL condition. Is that correct?

But what would be the behavior of traffic from the vlans (192.168.20.0 & 192.168.30.0) to vlan10. As far as I see based on the access-group, it is all permitted, is that right?

If traffic from 192.168.20.0 & 192.168.30.0 should be restriced to vlan10, is there a need for another set of ACL and apply it to vlan10 access-group out ?

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ronshuster

‎02-27-2009 12:14 PM

Hello Ron,

no strict need of a second ACL because successful communication require bidirectional connectivity.

to make an example an icmp packet can reach server 192.168.10.100 even with an arbitrary source but the answer is filtered by inbound ACL 131.

I understand for better security it can help to have also an outbound acl.

But if an outbound ACL is felt as needed it has to be different from the ACL applied inbound as I explained in my first post.

Hope to help

Giuseppe

0 Helpful

ronshuster
Level 1
Level 1
In response to Giuseppe Larosa

‎02-27-2009 12:37 PM

What I'm saying is that none of the internal vlans (192.168.20, 30) should be able to access the secure vlan (192.168.1.1) given it's a secure vlan. That secure vlan should only be able to access specific vlans but no internal vlans should be able to initiate traffic to it. How does that change your answeR?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card