Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 3750 VLAN ACL

Status
Not open for further replies.
omcakuma

omcakuma

IS-IT--Management
Mar 7, 2007
10
US
Hello,

I am setting up a Cisco Catalyst 3750 with 3 vlans. Right now with ip routing on, all vlans can talk freely with others. I want the Officenet vlan to be able to talk to all vlans, however I do not want the QANet vlan accessing OfficeNet. I know I should be setting ACLs but can’t figure out how they should be setup.



Any help is appreciated.



ip subnet-zero

ip routing

ip default-gateway 172.16.0.1

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.0.1



sw01#sh vlan



VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/3, Gi1/0/4, Gi1/0/5

Gi1/0/6, Gi1/0/7, Gi1/0/8

Gi1/0/11, Gi1/0/13, Gi1/0/14

Gi1/0/15, Gi1/0/16, Gi1/0/17

Gi1/0/18, Gi2/0/3, Gi2/0/4

Gi2/0/5, Gi2/0/6, Gi2/0/7

Gi2/0/8, Gi2/0/13, Gi2/0/14

Gi2/0/15, Gi2/0/16, Gi2/0/17

Gi2/0/18

10 Pix active Gi1/0/1, Gi1/0/2, Gi2/0/1

Gi2/0/2

172 Officenet active Gi1/0/19, Gi1/0/20, Gi1/0/21

Gi1/0/22, Gi1/0/23, Gi1/0/24

Gi2/0/19, Gi2/0/20, Gi2/0/21

Gi2/0/22, Gi2/0/23, Gi2/0/24

192 QAnet active Gi1/0/9, Gi1/0/10, Gi1/0/12

Gi2/0/9, Gi2/0/10, Gi2/0/11

Gi2/0/12



 
Sort by date Sort by votes
basically it's udp.

access-list 172 permit tcp any any established
access-list 172 permit udp any any
access-list 172 permit icmp any any echo-reply
access-list 172 deny ip 192.168.255.0 0.0.0.255 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

With the above acl, one would think that 'deny ip' would include tcp, udp, etc. But it only seems to be blocking tcp.

I added 'access-list 172 permit udp any any' so 172 can establish udp access to 192. When I take that line out, udp access from either vlan is blocked.

I would like 172 to have tcp, udp, kitchen sink access to 192. And 192 to not have any access to 172.

And idea?
 
Upvote 0 Downvote
Well, yes, that makes quite a bit of sense. ACL's are followed in order and, when a match is made, matched traffic is exempt from the rest of the ACL.

UDP is going to be a bit harder. The trick we pulled can be done with TCP because it is a session oriented protocol. The trick we pulled with ping is because we allowed a certain type of icmp, namely the echo reply. UDP has no such trick that we can exploit! So it can access DHCP, what will that hurt?

The only option I can think of if you must have it the way you ask, is to use the same thing everybody uses with the Internet, namely NAT. We all want access to the Internet, yet we don't want the Internet to have access to us. Beyond NAT is a firewall solution, but that's not my field. (yet)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Question
Cisco RV042G router
Replies
0
Views
118
Blackybear
Blackybear
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
252
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
615
nt8d09
nt8d09
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
388
CPM86
CPM86
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
616
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top