Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Block Traffic under two VLAN's : Unidirectional OR Bidirectional ???

I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:

VLAN 1  : 192.168.1.0/24

VLAN 10: 192.168.10.0/24

VLAN 20: 192.168.20.0/24

VLAN 50: 192.168.30.0/24

There are list of my some Questions about Extended ACL serialwise :

1. For Restrict traffic from VLAN 10 to VLAN 20, I am using  only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.

    What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???

2.   How to Block the traffic from VLAN 10  to  VLAN 20 but allow the traffic from VLAN 20  to  VLAN 10 ? Plz tell access list command for this.

      Question # 2 Depends on Question# 1...................

Plz find here My cisco 3560 switch configuration in Blog below :

Regards

Kuldeep

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Block Traffic between two VLAN : Confuse Technically

With your #1 there will be no communication between 20 and 10. Packets from 20 would be able to get to 10 but no response will get back. And with no response there is no communication.

HTH

Rick

Sent from Cisco Technical Support iPad App

17 REPLIES

Re: Block Traffic between two VLAN : Confuse Technically

Hi there,

blocking both ways:

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Will it communicate?

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

With only this acl you will have no full communication between vlan 10 and vlan 20 but the packets/frames from vlan 20 will be allowed. If you do not desire this better to block both ways...

3. Block Traffic from Both side , mean to say, no communication between VLAN 10 to VLAN 20 and VLAN 20 to VLAN 10. what we need to do ??

In all this scenarion i did not get if you implemented inter-vlan routin or not but i guess that the first set of access lists i wrote down will do the job.

Take Care

Alessio

PS: you can use other filters too.. it depends all from your purposes      

New Member

Re: Block Traffic between two VLAN : Confuse Technically

Hi Alessio.

I have configured intervlan Routing on Cisco 3560 L3 switch....  by Using " ip routing" command

You mean to say, If we will block only traffic from VLAN 10 to VLAN 20 then it will block only VLAN 10 to VLAN 20 but not from VLAN 20 to VLAN 10.  i can access all hosts of VLAN 10 from VLAN 20 Hosts.........

Am i right ????

Plz give answer of  Question Serial No.1 in  Yes or No.............

VIP Purple

Block Traffic between two VLAN : Confuse Technically

Hi Kuldeep,

1. For Restrict traffic from VLAN 10 to VLAN 20, I am using this : access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.

Then under the layer3 vlan apply the ACL:

ip access-group 100 in

Solution: It will block both side packet transfer 10<--------->20

2. block the traffic from VLAN 10  to  VLAN 20 but allow the traffic from VLAN 20  to  VLAN 10 ? how many access-list command required, one or two ?

Solution:i hav to find it

3.same as first solution

Regards

please rate if it helps.

Hall of Fame Super Silver

Re: Block Traffic between two VLAN : Confuse Technically

Blocking all communication between the vlans is easy. Permitting 20 to talk to 10 but not permitting 10 to talk to 20 is tricky. The problem is how to know if a packet from 10 to 20 is a response that should be permitted or originating from 10 which should be denied. With top traffic you use the established parameter to achieve this. With icmp you can do things like permit echo reply but deny echo request. With udp there is not an easy solution. Perhaps you can identify some source port/destination port combinations to permit.

HTH

Rick

Sent from Cisco Technical Support iPad App

New Member

Hello All, i have a question.

Hello All,

 

i have a question. how can i block printing on subnet or vlan on Cisco switch

i would like to block 172.16.20.1 0.0.3.255 subnet to not print.

the printers ips are 172.16.12.20

172.16.12.21

172.16.12.22
 

Thanks

 

 

New Member

Re: Block Traffic between two VLAN : Confuse Technically

Hi Sandeep,

                   Plz find my cisco 3560 switch configuration for Correct understanding

VIP Purple

Re: Block Traffic between two VLAN : Confuse Technically

HI Kuldeep .

IP communication is bidirectional

except for TCP where you could do an ACL  looking for SYN flag, there is no way to accomplish this with a simple ACL.

You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .

Regards.

please rate if it helps.

New Member

Re: Block Traffic between two VLAN : Confuse Technically

Hi Sandeep,

                   You want to say that if we apply ACL to one side then it will be affectable for both side..........

                   Either it be Deny or Permit ?????

                   Am i right ???

VIP Purple

Re: Block Traffic between two VLAN : Confuse Technically

As per my knowledge, yes it will affect both side.

Regards

Please rate if it helps.

Hall of Fame Super Silver

Re: Block Traffic between two VLAN : Confuse Technically

With your #1 there will be no communication between 20 and 10. Packets from 20 would be able to get to 10 but no response will get back. And with no response there is no communication.

HTH

Rick

Sent from Cisco Technical Support iPad App

New Member

Re: Block Traffic between two VLAN : Confuse Technically

Hi Richard,

                  See this cisco 3560 switch Configuration, and tell me answers accordingly:

CORE_3560#sh run

Building configuration...

Current configuration : 5299 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CORE_3560

!

enable secret 5 $1$d6GO$No/vGsChZP5O.5ANOYI2m/

!

no aaa new-model

ip subnet-zero

ip routing

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface Port-channel1

description *** CONNECTING TO CISCO-2960 SWITCH-1 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Port-channel2

description *** CONNECTING TO CISCO-2960 SWITCH-2 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/1

description *** CONNECTING TO CISCO-2960 SWITCH-1 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet0/2

description *** CONNECTING TO CISCO-2960 SWITCH-1 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet0/3

description *** CONNECTING TO CISCO-2960 SWITCH-2 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 2 mode on

!

interface GigabitEthernet0/4

description *** CONNECTING TO CISCO-2960 SWITCH-2 ***

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 2 mode on

!

interface GigabitEthernet0/5

description *** CONNECTING TO CISCO-2960 SWITCH-3 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/6

!

interface GigabitEthernet0/7

description *** CONNECTING TO CISCO-2960 SWITCH-4 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/8

!

interface GigabitEthernet0/9

description *** CONNECTING TO CISCO-2960 SWITCH-5 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/10

!

interface GigabitEthernet0/11

description *** CONNECTING TO CISCO-2960 SWITCH-6 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/12

!

interface GigabitEthernet0/13

description *** CONNECTING TO CISCO-2960 SWITCH-7 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/14

description *** CONNECTING TO CISCO-2960 SWITCH-8 ***

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/15

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/16

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

!

interface GigabitEthernet0/22

!

interface GigabitEthernet0/23

!

interface GigabitEthernet0/24                       

description Connecting to Cisco-1800 Router             

switchport access vlan 50

switchport mode access

!

interface GigabitEthernet0/25

!

interface GigabitEthernet0/26

!

interface GigabitEthernet0/27

!

interface GigabitEthernet0/28

!

interface Vlan1                                     ***** L2 switch's Vlans

ip address 192.168.1.1 255.255.255.0      

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip access-group 101 in

!

interface Vlan50

ip address 192.168.30.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.30.10

ip http server

!

!

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip any any

access-list 101 permit icmp any any

!

control-plane

!

!

line con 0

line vty 0 4

password cisco

no login

line vty 5 15

no login

!

end

New Member

Re: Block Traffic between two VLAN : Confuse Technically

Hi Richard,

                 According to you, there will be no communication between VLAN 10 to VLAN 20  and  VLAN 20 to VLAN10.

                 So plz tell me how to block the traffic from VLAN 10  to  VLAN 20 but allow the traffic from  VLAN 20  to 

                 VLAN 10 ?

                 Plz send me Access list command for That

                 I am waiting for your Reply

Re: Block Traffic between two VLAN : Confuse Technically

Hi Kuldeep,

as Richard just stated above no bidirectional communication would happen and therefore no connectivity between the hosts in the vlans 10 and 20. I still reccomend to use the bst practises ... that means that should you desire NO communication between these vlans, just type filters in both the directions.

Take Care

Alessio

New Member

Re: Block Traffic between two VLAN : Confuse Technically

Hi Alessio,

That was mistake of typing ..................it was 101

You want to say that i will put 2 access list as you told me earlier :

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Am i right ???

Re: Block Traffic between two VLAN : Confuse Technically

yes, indeed

Alessio

New Member

Block Traffic under two VLAN's : Unidirectional OR Bidirectional

Actually there is a simple solution. I needed a lot of time to get to this so it's worth sharing.

There is a special type of Access list called reflexive.

This kind of access list will allow traffic from one VLAN to another only if the communication is established in other direction before that.

It can't be used for IP traffic but only for every protocol separatelly so you will need to use more rows in ACL to allow TCp, ICPM etc, but it will solve your problem.

Here is how is done:

Let's say that you have two VLANs: VLAN 10 and VLAN 20.

VLAN 10 INTERFACE = 10.10.10.1 /24

VLAN 20 INTERFACE = 10.10.20.1 /24


VLAN 10 can access VLAN 20 but,

VLAN 20 can't access VLAN 10. (That was the whole problem, to allow access only in one direction).

To be able to do so, you need to let the traffic from VLAN 10 go to VLAn 20 but you need also to let this communication to go back to VLAn 10 in order to close the communication bidirectional functionality.

Almost every communication needs to get back to source in order to make the circle functional.


But, if you allow this communicaton to go back to VLAN 10, you will alow all the communication in both ways, and this is the problem that we can solve using reflexise ACLs.

We will make extended named ACL with name EASYONE:

ip access-list extended EASYONE

permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established

(The work established at end of this ACL row means that this TCP traffic from VLAN 20 to VLAN 10 will only be allowed when it's from some communication that was started from VLAN 10, a going back traffic)

permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply

(This echo-reply row will allow VLAN 20 to reply to ping and other ICMP requests)

deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip any any

(This row will deny all other traffic from VLAN 20 directed to VLAN 10 but with permit ip any any it will allow VLAN 20 to go let say to gatway and further to internet and other VLANs)

Finally, we will put the ACL EASYONE to VLAN 20 L3 interface

interface vlan 20

ip access-group EASYONE in

To conclude the config without comments, indeed easy now when is done:

ip access-list extended EASYONE

     permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established

     permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply

     deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

     permit ip any any

     exit

interface vlan 20

ip access-group EASYONE in

The credit for the solution goes to my mentor and friend Sandra who did the configuration and lab for it but more than that she came out with the established word at end of the ACL and whole reflexive ACL solution.

For this detailed article and more about Cisco, Juniper, etc configurations from real life please visit blog howdoesinternetwork.com and enjoy networking as we do.

Valter Popeskic
New Member

Re: Block Traffic under two VLAN's : Unidirectional OR Bidirecti

Will reflexive work on 4500 series layer 3 switch...

i have tried the above scenerio in packet tracer but it doesnt work and block both ways..

I  have heard that reflexive access list is something related with inbound  and outbond concept, and put evaluate command...can you clear my  concept?

Is there any other option for allow one way access ?please help me

6117
Views
8
Helpful
17
Replies