Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assigning Ingress/Egress ACL to Vlan

I am trying to assign an ACL to a management VLAN so that no traffic can tranverse between the managed and management networks.  This is the configuration that I used.

access-list 100 deny   ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny   ip 10.255.255.0 0.0.0.255 any log

interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Assigning Ingress/Egress ACL to Vlan

If it's a windows machine, do a traceroute to verify the path that is taking.

i.e

tracert 4.2.2.2

Federico.

12 REPLIES

Re: Assigning Ingress/Egress ACL to Vlan

Hi,

If you apply those ACLs, no IP traffic at all will traverse the interface because there's an implicit deny everything else at the end of the ACL.

If you implement an ACL, there must be a permit statement, otherwise ALL traffic is denied.

Federico.

New Member

Re: Assigning Ingress/Egress ACL to Vlan

Ok, That makes sense.  So how do you create an Ingress/Egress filter for a managment VLAN?  Mainly I am strictly concerned with not allowing any traffic what-so-ever to be routed by the 3750 to or from the management network.  I want it completely isolated.  Thanks for the help in this.

Re: Assigning Ingress/Egress ACL to Vlan

You need to define in the ACLs what should the management VLAN have access to.

After permitting that traffic, apply the deny statements that you posted before.

i.e

If the management VLAN needs access to host x.x.x.x

then, the ACL should have a ''permit'' statement as the first entry, and everything not specified in the ACL will be denied (by the implicit rule).

Federico.

New Member

Re: Assigning Ingress/Egress ACL to Vlan

I don't think I explained this correctly.  I'm using the 3750 as a default gateway for several networks before bringing them into a firewall to get connectivity to the WAN.  I have enabled ip routing on the switch.  What I am trying to do is allow all of the equipment on the management vlan to talk and not allow them to get routed nor allow anything from the other vlans to get inside of it.  So do I have to permit 10.255.255.0 traffic to talk to 10.255.255.0 traffic and then deny everything else?  Thanks for your patience.

Re: Assigning Ingress/Egress ACL to Vlan

Ok,
The 3750 is the default gateway for some networks (doing IP routing).
The management VLAN is 10.255.255.0/24

If you do the following:

access-list 100 deny   ip any 10.255.255.0 0.0.0.255 log
access-list 101 deny   ip 10.255.255.0 0.0.0.255 any log

interface Vlan30
description Management VLAN
ip address 10.255.255.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out

What is going to happen is that no traffic can get in/get out the management VLAN.
In other words, the 10.255.255.x will not be able to send traffic out the management VLAN
and will not be able to receive traffic from outside the management VLAN.
Communication inside the management VLAN will not be affected by the ACL.


Is this the behavior that you want?

Federico.

New Member

Re: Assigning Ingress/Egress ACL to Vlan

Yes, absolutely.  Unfortunately it is not working.  I have a test workstation on the management network and it is having no problem with getting out to the internet.

Re: Assigning Ingress/Egress ACL to Vlan

Charles,

Remove your ACLs and just leave this configuration:

access-list 100 deny ip 10.255.255.0 0.0.0.255 any log

int vlan 30
ip access-group 100 in

Then, check if you can get to the Internet from the management workstation.

(if you still can, let me know the IP of the PC).

Federico.

New Member

Re: Assigning Ingress/Egress ACL to Vlan

Yeah, it's still working unfortunately.  The ip address of the computer is 10.255.255.2/24.

Re: Assigning Ingress/Egress ACL to Vlan

So, you have an ACL denying the traffic under VLAN 30 and traffic is still flowing...
This is the only path the traffic has to get out correct?
Can you make sure the packets are indeed going through Interface VLAN 30?

access-list 105 permit ip host 10.255.255.2 any
inter vlan 30
ip access-group 105 in

Then, when you send traffic again, you should see hitcounts in this ACE incrementing everytime.
Just to make sure, traffic is going through.

Federico.

New Member

Re: Assigning Ingress/Egress ACL to Vlan

I got only one hit from hitting multiple different websites.  That doesn't make much sense.  The workstation is directly connected to the 3750 and the port is configured for vlan 30.  It just doesn't make sense that the traffic is still flowing.

Re: Assigning Ingress/Egress ACL to Vlan

If it's a windows machine, do a traceroute to verify the path that is taking.

i.e

tracert 4.2.2.2

Federico.

New Member

Re: Assigning Ingress/Egress ACL to Vlan

Thanks alot for your help.  I had the default gateway on the computer of the firewall which is also connected to the management network.  I hadn't turned of the routing for that port yet due to testing so I ran into a couple of problems at the same time.  Thanks again.

3080
Views
0
Helpful
12
Replies