Solved: Allow only one way communication between two VLAN's

srikanth ath · ‎12-13-2011

Hi all experts

i hae two vlans where i should allow one way communication not two way. how to accomplish this.

vlan 99------------------->vlan 50 (10.10.18.0/24) allow

vlan 99 < ---xxxxxxxx---vlan 50 shouldnt allow.

1. vlan 99 ----10.10.10.180 -----should communicate with ------------vlan 50 all subnet (10.10.18.0/24)

2. vlan 50 -----10.10.18.0/24 ----shouldnt communicate with ------vlan99's IP 10.10.10.180

here is sample i have done but couldnt succeed...this isnot the correct config i believe as i could ping from any of the source of one vlan (10.10.18.0/24)to other vlan 99(10.10.10.180)

interface Vlan50

description vlan for isolatedServers

ip address 10.10.18.1 255.255.255.0

ip access-group vlan-50 in

ip access-group ONEserver-ACL out

ip access-list extended ONEserver-ACL

permit ip host 10.10.10.180 10.10.18.0 0.0.0.255

ip access-list extended vlan-50

permit ip 10.10.18.0 0.0.0.255 host 10.10.11.14

deny ip 10.10.18.0 0.0.0.255 host 10.10.10.180

deny ip any any

thanks & regards

srikanth

cadet alain · ‎12-13-2011

Hi,

except for TCP where you could do an ACL looking for SYN flag, there is no way to accomplish this with a simple ACL.

You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎12-13-2011

Hi,

except for TCP where you could do an ACL looking for SYN flag, there is no way to accomplish this with a simple ACL.

You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .

Regards.

Alain

Don't forget to rate helpful posts.

srikanth ath · ‎12-13-2011

THanks alain

but can you explain me how this is not possible..

for my understanding

if we ping from 10.10.10.180 to 10.10.18.19

first souce : 10.10.10.180

dest: 10.10.18.19

and after hitting the destination to reach souce address it will alter

source: 10.10.18.19

destination: 10.10.10.180 (where in ACL is der here at SVI saying if source is 10.10.18.0/24 destination is 10.10.10.180 drop)

so the packet is dropping

this is what happening right

and how this is achieved in FIrewall . we have a firewall (asa 5510) how can this accomplished.

regards

srikanth

cadet alain · ‎12-13-2011

Hi,

but can you explain me how this is not possible..

for my understanding

IP communication is bidirectional

we have a firewall (asa 5510) how can this accomplished.

an ASA will make this possible by permitting only traffic from a high security level interface to a low security level interface but will block traffic from a low security level going to a high security level unless you apply an ACL to permit such traffic.

As it is stateful it will let replies to traffic coming from high to low pass through the low security level interface.

you will have to inspect ICMP in global policy to achieve this or configure an ACL for letting ICMP replies go from low to high.

So in your case you could put VLAN 99 in a high security level interface and VLAN 50 on a lower security level interface.

Regards.

Alain

Don't forget to rate helpful posts.

Edwin Summers · ‎12-13-2011

Srikanth,

Just so I understand correctly, can you clarify your intent regarding "one way communication"?

1) Are you trying to achieve a truly one-way path so that traffic can enter vlan 50, but NOT exit (maybe you have a network sniffer on vlan 50 that does not need to communicate back)

or

2) Do you have servers on vlan 50 that should only ACCEPT incoming connections, but NOT be allowed to initiate connections back to vlan 99? (not really one-way as there is still return traffic)

Based on your ping example it seems that you might be trying to achieve truly one-way (by your example of dropping the ping return traffic), but I want to be sure I understand you correctly.

Thanks!

Ed