Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Block traffic between two vlans on a Cat3560C + Internet Access

Hi,

I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.

The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.

The following acl has been applied on the inbound to vlan 50:

10 permit tcp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq 137 138 139 445

20 permit udp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq netbios-ns netbios-dgm netbios-ss 445

25 permit icmp 10.16.30.0 0.0.0.255 host 192.168.1.243

26 permit ip 10.16.30.0 0.0.0.255 host 10.16.30.254

30 permit ip 10.16.30.0 0.0.0.255 host 192.168.15.254

40 deny ip 10.16.30.0 0.0.0.255 192.168.15.0 0.0.0.255

50 permit udp any any eq bootps

60 permit udp any any eq bootpc

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increament.

Also I have that I may beed to use VACL wouls this be the case?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Block traffic between two vlans on a Cat3560C

Hi John,

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

No, this is incorrect. Do not think in terms "traffic being sent into VLAN 50". This is one of the most common mistakes people make when trying to understand multilayer switching, SVIs and ACL directions. Think in terms of interfaces. A traffic is inbound to interface if it is being received by the interface. A traffic is outbound from interface if it is being sent out that interface.

As to your network: You have interface VLAN 1 that is the first one that receives traffic from the internet destined to some other VLAN, so the traffic is inbound on this interface. Afterwards, the switch determines that the destination is reachable in VLAN 50 and sends the traffic out the interface VLAN 50, consulting the outbound ACL if there is any. Even though this traffic, from the viewpoint of the entire VLAN 50, enters this VLAN, it is nonetheless sent out the interface VLAN 50. Do not let yourself confuse here - traffic entering VLAN 50 is outbound from interface VLAN 50!

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

Again, this is incorrect. Such a traffic is only inbound to interface VLAN 1 and outbound to interface VLAN 50. No other combinations are valid.

I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, 

You should definitely think of these ACLs as being aplied to physical/sub interfaces - but SVIs work in the same way and treat the traffic and its directions identically to physical interfaces!

Please consider the following picture:

Here, you have two VLANs and their corresponding SVIs. If traffic flows from VLAN1 into VLAN50, it will be inspected by inbound ACL on interface VLAN1 and by outbound ACL on interface VLAN50. It's as simple as that. Nothing more will take place here.

Best regards,

Peter

26 REPLIES
Hall of Fame Super Bronze

Block traffic between two vlans on a Cat3560C

ACL counters are software based and the switch processes these entries in hardware.

You mentioned traffic is being blocked, it indicates the ACL is doing its job.

New Member

Block traffic between two vlans on a Cat3560C

Thanks Edison,

Therefore If I append the log cmd at the end of each access-list would this force process to the hardware and therefore increment the counters?

Are L3 ACL best to be used here, or would I use VACL? Is there any reson for this?

Thanks

New Member

Re: Block traffic between two vlans on a Cat3560C

I also notice this morning that even tho the access-list is applied traffic from the Internet is still able to come into the vlan.

My understanding was that at the end of a acl is a explicit deny?

Sent from Cisco Technical Support iPhone App

VIP Purple

Re: Block traffic between two vlans on a Cat3560C

Hi John,

Yes we can do with the help of ACL.

just as an example:block traffic between vlan 5 and vlan 8

access-list testacl deny ip 10.58.5.0 0.0.0.255 10.58.8.0 0.0.0.255
access-list testacl permit every

and to apply the ACL, I used the following:

interface vlan 5
ip access-group testacl

Regards

Please rate if it helps.

New Member

Re: Block traffic between two vlans on a Cat3560C

Thanks I guess you would apply this acl inbound.

But with the acl above which I have used there is a firewall which is vlan 1 and has a static route pointing toward the switch which has vlan 15 connected. The access list should block all internet traffic as there is no acl to permit this. But I can still access the internet?

Re: Block traffic between two vlans on a Cat3560C

Hi John,

ACL in switches/routers will not have explicit deny @ the end like the firewall. You have to specify it else it will go through as far as i know.

You can put a VACL to achive what you are looking for. You can permit the specific IP's that needs to access the other VLAN's and deny rest other traffic that goes through the other VLAN. Lets say..

10.16.30.0 - VLAN 50

192.168.15.0 - VLAN 1

So you want one host from 10.16.30.100 alone needs to get communicate with vlan 1 then you can put like this.

10 permit ip host 10.16.30.100 host 192.168.15.0 0.0.0.255

20 deny ip 10.16.30.0 0.0.0.255 192.168.15.0 0.0.0.255

30 permit ip any any

!

So it will allow only the access to 192.168.15.0 vlan 1 from the host 10.16.30.100 in vlan 50... rest all other trafficx from vlan 50 to vlan 1 will get denied and all other traffic will be permitted.

Please do rate if the given information helps.

By

Karthik

New Member

Re: Block traffic between two vlans on a Cat3560C

Hi Karthikeyan,

I'm sure the basic of Cisco acl from my ccna days was that every acl has an explict deny at the end, do you have any papers where it says otherwise as this is a big problem.

I understand I could VACL but, I don't really want to change the entire network to VACL is I can you acl.

I inital concern was that the acl had no hit counters, I therefore applied the log cmd at the end so it would need to be processed by the software.

But with the above ACL i have used, I still seem to have traffic from the internet which is passed down by the firewall enter the vlan? I mean the firewall is on a native vlan which just has static routes to the L3 switch which holds both vlans.

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C

Hello John,

Every ACL has an implicit (i.e. invisible but still present) deny any at its end, regardless of whether it is an ACL defined on switches or on routers. In other words, what is not allowed explicitly (i.e. by a manually entered ACL entry). Karthik was somewhat unclear in what he wrote: he indicated that no ACLs have explicit (i.e. visible) deny statements automatically added in their end, which is correct. However, he also suggested that it is the reason why the traffic will go through, and this is incorrect.

However, your ACL should indeed not allow traffic other than what is explicitly permitted. How do you know that internet traffic is passing into your VLAN? Is it possible that the internet traffic is already being permitted by some ACL entries? Remember that it may be translated into private IP address space, and you have several entries in your ACL permitting selected privately addresses IP traffic.

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C

Hi Peter,

Thank you for the above.

The setup I have is one asa5505 which has the following ip:

Inside:192.168.15.253

WAN: XXX.XXX.XXX.XXX

Both subnets can are allowed to be natted towards the internet.

There is static route to say if the 10 subnet wants to be reached it needs to push packets toward the L3 switch:

route inside 10.16.30.0/24 pointing towards 192.168.15.254

The L3 Switch then has the following IP address:

Vlan 1 IP: 192.168.15.254

Vlan 50 IP: 10.16.30.254

Default route to pointing toward the firewall ip 192.168.15.253.

The access-list is applied inbound to vlan 50.

As I don't have permit ip any any at the end of the acl, my understanding is when from a workstation on vlan 50 wants to acccess the internet. its src will be the 10 range ip and dest will be an www.cisco.com. Therefore the 1st packet will get out on the internet but, when the firewalls send the packet back then the packet should reach the L3 switch and before any packets entering (inbound acl) into vlan 50 it should go though the acl and be blocked. At this moment the src would be www.cisco.com and des would the workstation on vlan 50.

On my acl I don't have a entry which permits src any dest vlan 50. Unless, as the acl 1st allowed the packet it will therefore also allow the return packet through. But I'm sure this is highly unlikely.

This is really strange unless I'm missing something, its allmost like acl aren't really coming into action.

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C

Hi John,

before any packets entering (inbound acl) into vlan 50 it should go though the acl and be blocked.

You are probably confusing the ACL directions.

Remember that the interface VLAN is a virtual interface of the "router" inside your multilayer switch. Traffic inbound to interface VLAN 50 is the traffic that originated or traverses VLAN 50 and is going to be routed elsewhere. Traffic outbound to interface VLAN 50 is the traffic that came from other VLANs and is sent into VLAN 50. Does this make sense?

Following this logic, your ACL placed on interface VLAN 50 in the inbound direction controls the traffic that actually exits the VLAN 50 and goes out to the internet. The return traffic from internet towards VLAN 50 is outbound from interface VLAN 50, and you have no ACL in the outbound direction to filter the communication with internet.

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C

Hi Peter,

Remember that the interface VLAN is a virtual interface of the "router" inside your multilayer switch. Traffic inbound to interface VLAN 50 is the traffic that originated or traverses VLAN 50 and is going to be routed elsewhere.

Understood, traffic being routed to another vlan i.e. vlan 1 or being pushed towards the default gateway.

Traffic outbound to interface VLAN 50 is the traffic that came from other VLANs and is sent into VLAN 50. Does this make sense?

See, I see this has traffic inbound because traffic is sent into vlan 50, but this time the traffic did not originate on vlan 50, is this what your trying to mean?

My understanding of inbound is when traffic enters an interface which is from the outside and outbound is when traffic leaves an interface. With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Please correct me if I'm wrong, really apperciate your help.

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C

Hi John,

See, I see this has traffic inbound because traffic is sent into vlan  50, but this time the traffic did not originate on vlan 50, is this what  your trying to mean?

I am sorry - I do not understand this question. Perhaps you could rephrase it differently.

My understanding of inbound is when traffic enters an interface which is  from the outside and outbound is when traffic leaves an interface.

This seems to be correct. For VLAN 50, traffic that was sent by stations in VLAN 50 and addressed to destinations in a different network is inbound to interface VLAN 50. The traffic flowing in the opposite direction (e.g. the responses to requests sent from within VLAN 50) is outbound from interface VLAN 50.

With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Well, if internet traffic comes into interface VLAN 1 and is routed out interface VLAN 50, it is inbound to interface VLAN 1 and outbound from interface VLAN 50, right? You have yourself indicated that your ACL is placed in the inbound direction on the interface VLAN 50. That means that it filters requests going to internet but it does not apply to flows from the internet back to VLAN 50. And because your ACL contains lines as

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

the VLAN 50 can access the DNS, HTTP and HTTPS services anywhere on the internet. Responses from these services are not filtered because there is no outbound ACL on interface VLAN 50.

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C

My understanding of inbound is when traffic enters an interface which is  from the outside and outbound is when traffic leaves an interface.

This seems to be correct. For VLAN 50, traffic that was sent by stations in VLAN 50 and addressed to destinations in a different network is inbound to interface VLAN 50. The traffic flowing in the opposite direction (e.g. the responses to requests sent from within VLAN 50) is outbound from interface VLAN 50.

With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Well, if internet traffic comes into interface VLAN 1 and is  AA* routed out interface VLAN 50, it is inbound to interface VLAN 1 and AB* outbound from interface VLAN 50, right? You have yourself indicated that your ACL is placed in the inbound direction on the interface VLAN 50. That means that it filters requests going to internet but it does not apply to flows from the internet back to VLAN 50. And because your ACL contains lines as

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

the VLAN 50 can access the DNS, HTTP and HTTPS services anywhere on the internet. Responses from these services are not filtered because there is no outbound ACL on interface VLAN 50.

Best regards,

Peter

Hi Peter,

I have made marks on your text and replied:

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

My concern is at the point on when the packets are being routed the acl should apply. I think when the routing takes place as the packet is already within the router/switch the acl does not apply. Whereas I think it should do when the switch looks at the routing table and pushes each packet to vlan 50. I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, which is maybe where I'm going wrong. If I place myself right in the middle of the switch then your reply becomes true.

Would you agree with the above?

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C

Hi John,

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

No, this is incorrect. Do not think in terms "traffic being sent into VLAN 50". This is one of the most common mistakes people make when trying to understand multilayer switching, SVIs and ACL directions. Think in terms of interfaces. A traffic is inbound to interface if it is being received by the interface. A traffic is outbound from interface if it is being sent out that interface.

As to your network: You have interface VLAN 1 that is the first one that receives traffic from the internet destined to some other VLAN, so the traffic is inbound on this interface. Afterwards, the switch determines that the destination is reachable in VLAN 50 and sends the traffic out the interface VLAN 50, consulting the outbound ACL if there is any. Even though this traffic, from the viewpoint of the entire VLAN 50, enters this VLAN, it is nonetheless sent out the interface VLAN 50. Do not let yourself confuse here - traffic entering VLAN 50 is outbound from interface VLAN 50!

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

Again, this is incorrect. Such a traffic is only inbound to interface VLAN 1 and outbound to interface VLAN 50. No other combinations are valid.

I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, 

You should definitely think of these ACLs as being aplied to physical/sub interfaces - but SVIs work in the same way and treat the traffic and its directions identically to physical interfaces!

Please consider the following picture:

Here, you have two VLANs and their corresponding SVIs. If traffic flows from VLAN1 into VLAN50, it will be inspected by inbound ACL on interface VLAN1 and by outbound ACL on interface VLAN50. It's as simple as that. Nothing more will take place here.

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C

Hi Peter,

Thank you.

Following on this topic, Edison Ortiz mentioned that the acl counter will not increment, therefore will the packets always be filtered by the acl, even tho counter do not increase? Is this always/only the case with L3 switches or can it also incur in routers?

John.

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C

Hi John,

Edison is spot on (he's always spot on!). If traffic filtering is performed using hardware acceleration (usually performed using a TCAM memory), as is common on Catalyst switches, the counters on ACL entries will not be increased but the filtering will still occur normally. To my best knowledge, all recent Catalyst switches, starting from 2950 and going up through 2960, 3550, 3560, 3750 up to 6500, perform traffic filtering in hardware and therefore, you should not expect the counters to increase. On these platforms, the only case when the counters really increase is the situation when the hardware acceleration was not used, and the filtering was performed by IOS software itself, consuming CPU resources.

On Cisco routers, the behavior is usually different, as routers do not use hardware acceleration for ACL functions (except for high-end routers such as 7600 and up). On routers, you can therefore expect the ACL counters to always increase.

One more comment - you have considered using the log option in your ACL entries on the switch. I strongly discourage you from doing that. The log keyword may actually have no effect, as the hardware-based filtering is performed without any involvement of the IOS and CPU (and logging packets is their job), or in worse case, it may actually force the ACL to be processed in software. Depending on the amount of traffic filtered by that ACL, it could overload your CPU, leading to all sorts of ill behavior (STP failures, inability to access the switch remotely, various other CPU-processed protocols and mechanisms failing, ...)

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C

Hi Peter,

Thank you.

I used the log keyword more for reassurance that the acl is filtering packets, I guess I could do tests before hand but this proves difficult in an live environment.

From reading other posts I was informed that log would force the switch to use the software therefore incrementing the counters. This is something which I was only looking to use in the first instance and then remove. Strange thing is that some of the acl from the above have the counters incremented and other don't. Why would some acl be processed by software and others by hardware?

It this just a bug in the IOS?

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C

Hi John,

According to the following document about Cat3560:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swacl.html#wp1725217

Because routing is done in hardware and logging is done in software, if a large number of packets match a permit or deny ACE containing a log keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.

I assume the same goes for incrementing the counters.

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C

Hi,

From one of the above post you mentation that an accless-list always has an explict deny in the end. Today I tested a connection from a remote laptop which is connected to the L3 switch. I have a application which uses the internet on a port which I have not mention in the access list. But still this application is able to access the internet, the strange thing is when I add a deny ip any any at the end of the acl the application stops working??

Is there something which I'm missing?

Thank you.

New Member

Block traffic between two vlans on a Cat3560C + Internet Access

Any advise would be much appreciated.

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C + Internet Acc

Hi John,

Can you please post the current complete configuration of your switch and precisely specify the following:

  1. into which port of the switch is the laptop connected?
  2. what are the exact addressing details of the traffic that was surprisingly permitted (i.e. source and destination IP address, transport protocol, source/destination port)?

I apologize for answering lately - I did not notice an additional question in this thread. I am sorry.

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C + Internet Acc

Hi Peter,

Thank you very much for reply, really apperciate it.

Sorry for the late reply.

The laptop is plugged in into vlan 15. From the access-list I should not be able to connected to the internet when using remote desktop or similar to logmein application.

Also when I add deny ip any any the application stop work, meaning the explicit deny is not functioning correctly.

Please find config attached.

Thank you.

New Member

Re: Block traffic between two vlans on a Cat3560C + Internet Acc

Hi Peter,

I was wondering if you have an chance to look at the above?

Thanks

J.

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C + Internet Acc

Hello John,

I apologize - I missed the fact that you have responded. My sincere apologies.

From the access-list I should not be able to connected to the internet when using remote desktop

Why not? Your ACL contains the following entries:

  permit udp 10.16.30.0 0.0.0.255 any eq domain log

  permit tcp 10.16.30.0 0.0.0.255 any eq domain log

  permit tcp 10.16.30.0 0.0.0.255 any eq www log  

  permit tcp 10.16.30.0 0.0.0.255 any eq 443 log  

They exactly permit access to DNS, HTTP and HTTPS service for any station in the 10.16.30.0/24 network (VLAN15).

What do you exactly mean when you say "when using remote desktop"?

Also when I add deny ip any any the application stop work, meaning the explicit deny is not functioning correctly.

Interesting. This would depend on the placement of the deny ip any any entry... Are you sure you have added this entry at the end of the ACL and not at the beginning?

Nevertheless, I see you are still having the log keyword attached to each and every ACL entry. Please remove it. There may be an ill interaction with this keyword - I would like to continue debugging this issue with a configuration that is 100% supported.

Thank you - and once more, please apologize my late answer.

Best regards,

Peter

New Member

Re: Block traffic between two vlans on a Cat3560C + Internet Acc

Hi Peter,

No need to apologize, any amount of your time is highly appreciated by me, therefore thank you.

I'm under the impression that the remote desktop 3rd party application used a part other than what I've defined.

I'm going to do a wireshark and examine the ports used.

Your comment on the log keyword, is this something which is not supported? Would this cause the packet to miss the acl or would it just slow the process down. I've placed this keyword so I could see the packets going through the acl. I understand the implication of the CPU using the lo keyword, but were not aware of any other.

From this thread I would like to ask a question which relates to the acl and its placement. As I've placed the acl in the inside direction of the vlan 15. If I were to connect anothor switch on a truck link, would I need to move the acl to the other switch ( as this is where the pc would connect to the switch) orcan I leave it in place were it currently is. The way I understand is, its the phyical entry of the switch and it does not matter if its a truck or access, would this be correct?

thanks

J

Cisco Employee

Re: Block traffic between two vlans on a Cat3560C + Internet Acc

Hello John,

I'm under the impression that the remote desktop 3rd party application used a part other than what I've defined.

I'm going to do a wireshark and examine the ports used.

I am not entirely getting you here. From where are you accessing the remote desktop, and where exactly does the remote desktop run? Does the machine accessed via remote desktop reside in the VLAN 15? I have troubles understanding where is the remote desktop client located, and where does the remote desktop server (i.e. the machine that you remotely access and from which you access the internet) reside.

Your comment on the log keyword, is this something which is not supported?

Let's just say that the log keyword is not supposed to be used in ACLs on multilayer switches. How exactly that turns out is always a matter of particular implementation and no one outside Cisco can tell you what will exactly happen. I want to be sure we are running a configuration that is not claimed to have any unrecommended or unsupported components.

As I've placed the acl in the inside direction of the vlan 15. If I were  to connect anothor switch on a truck link, would I need to move the acl  to the other switch ( as this is where the pc would connect to the  switch) orcan I leave it in place were it currently is. The way I  understand is, its the phyical entry of the switch and it does not  matter if its a truck or access, would this be correct?

The interface Vlan 15 onto which you have placed your ACL is the focal point of all traffic that is carried from VLAN15 into other VLANs and vice versa (if the switch performs inter-VLAN routing). Intra-VLAN communication on trunks is not controlled by the ACL placed on interface VLAN. So your question actually asks about something different than you think it is asking

Best regards,

Peter

4298
Views
28
Helpful
26
Replies
CreatePlease to create content