Cisco 3750 VLAN ACL

[omcakuma]

Hello,

I am setting up a Cisco Catalyst 3750 with 3 vlans. Right now with ip routing on, all vlans can talk freely with others. I want the Officenet vlan to be able to talk to all vlans, however I do not want the QANet vlan accessing OfficeNet. I know I should be setting ACLs but can’t figure out how they should be setup.



Any help is appreciated.



ip subnet-zero

ip routing

ip default-gateway 172.16.0.1

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.0.1



sw01#sh vlan



VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/3, Gi1/0/4, Gi1/0/5

Gi1/0/6, Gi1/0/7, Gi1/0/8

Gi1/0/11, Gi1/0/13, Gi1/0/14

Gi1/0/15, Gi1/0/16, Gi1/0/17

Gi1/0/18, Gi2/0/3, Gi2/0/4

Gi2/0/5, Gi2/0/6, Gi2/0/7

Gi2/0/8, Gi2/0/13, Gi2/0/14

Gi2/0/15, Gi2/0/16, Gi2/0/17

Gi2/0/18

10 Pix active Gi1/0/1, Gi1/0/2, Gi2/0/1

Gi2/0/2

172 Officenet active Gi1/0/19, Gi1/0/20, Gi1/0/21

Gi1/0/22, Gi1/0/23, Gi1/0/24

Gi2/0/19, Gi2/0/20, Gi2/0/21

Gi2/0/22, Gi2/0/23, Gi2/0/24

192 QAnet active Gi1/0/9, Gi1/0/10, Gi1/0/12

Gi2/0/9, Gi2/0/10, Gi2/0/11

Gi2/0/12

 

[globalchicken]

Look into configuring Vlan Access Maps or an extended ACL and applying it to the vlan interface. This will accomplish what you are asking.

http://www.cisco.com/en/US/products..._guide_chapter09186a0080160a7e.html#wp1053799

This is a config guide for a 6500, but it is the very much the same on a 3750.

 

[helpdeskdan]

access-list 101 deny ip any (officenet ip/mask here)
access-list 101 permit ip any any

int vlan192
ip access-group out 101

Think that should do it.... and hey, looks like globalchicken beat me to it! ;-) He brings up a good point, vlan access maps can be used.

 

[omcakuma]

Hello,
I entered in:
access-list 101 deny ip any 172.20.0.0 255.255.252.0
access-list 101 permit ip any any

int vlan192
ip access-group 101 out

When I sh ru, i see:
10 deny ip any 0.0.0.0 255.255.252.0

Any reason why the it's not showing the ip subnet i put and making them 0.0.0.0?

 

[helpdeskdan]

Hum, extended ACL's were introduced in ios 8.3. Is it a REALLY old ios?

 

[vipergg]

He is using a 3750 so it has to be at least 12.1 code . They support extended so he may have mis typed it . you may have to post the whole config to see what you put in .

 

[omcakuma]

you probably don't need the entire config:
sw01#sh ru
Building configuration...

Current configuration : 5428 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw01
!
enable secret 5 $1$puYP$uPrdIHI4WKxn8WgqXH27T0
enable password xxxxxxxx
!
no aaa new-model
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
vtp domain cambridge
vtp mode transparent
ip subnet-zero
ip routing
ip domain-name sw01.xxxxxxxx
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name Pix
!
vlan 21
name test21
!
vlan 22
name test22
!
vlan 172
name Officenet
!
vlan 192
name QAnet
!
!
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 172.16.0.2 255.255.255.0
!
interface Vlan21
ip address 192.168.21.1 255.255.255.0
!
interface Vlan22
ip address 192.168.22.1 255.255.255.0
!
interface Vlan172
ip address 172.20.0.1 255.255.252.0
!
interface Vlan192
ip address 192.168.255.1 255.255.255.0
ip access-group 172 out
!
ip default-gateway 172.16.0.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip http server
!
!
access-list 172 deny ip any 0.0.0.0 255.255.252.0
access-list 172 permit ip any any
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0

!
!
end

 

[omcakuma]

Forgot to mention what i enter:

access-list 172 deny ip any 172.20.0.0 255.255.252.0
access-list 172 permit ip any any

int vlan192
ip access-group 172 out

 

[jpcomeau]

Access lists use a reverse mask to define the network. So, your access list commands should look like the following:

access-list 172 deny ip any 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

Then apply it to the interface.

I also find it helpful to place a remark at the top as a description.

access-list 172 remark ACL to allow traffic

JPC

 

[helpdeskdan]

$#*@! it, can't believe I got that backwards.

 

[omcakuma]

thanks for the replies.

So i set what was suggested:
interface Vlan172
ip address 172.20.0.1 255.255.252.0

interface Vlan192
ip address 192.168.255.1 255.255.255.0
ip access-group 172 out

access-list 172 deny ip any 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

This doesn't seem to do anything. vlan 172 and 192 still can ping, rdp, etc. If i set the interface to:
ip access-group 172 in
Vlan 192 can't access 172 or the pix, and nothing can access 192.

Help??

 

[helpdeskdan]

OK, now that I'm not on Nyquil anymore, let me solve this question correctly before I stick my foot in my mouth again.

You do not want QANet vlan accessing OfficeNet. QANet is vlan 192.

access-list 172 deny ip 192.168.255.0 0.0.0.255 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

int vlan 192
ip access-group 172 in

That should prevent anything from the QANet network destined to OfficeNet from ever entering the routing process.

 

[omcakuma]

ok, i feel we're close helpdesk.

followed:
access-list 172 deny ip 192.168.255.0 0.0.0.255 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

int vlan 192
ip access-group 172 in

Now, 192 can not access 172.
192 can access pix
172 can access pix
172 can not access 192

do i need a access-list 192 permit somewhere?

once again, thanks

 

[helpdeskdan]

Isn't this the desired behavior?
Are you saying you do not want QANet vlan accessing OfficeNet, but you DO want OfficeNet to be able to access QANet? That would be more like the operation of a NAT firewall - I'd have to think about that.

A permit will not do it because every packet has to (surprise!) return the way it came. Your statement is not technically correct; traffic can reach 192 just fine. It just can't get back!

 

[omcakuma]

Yes, I do not want QANet vlan accessing OfficeNet, but I DO want OfficeNet to be able to access QANet.

 

[helpdeskdan]

Established traffic would perhaps do the trick:

http://www.cisco.com/en/US/tech/tk6...xample09186a0080100548.shtml#internalnetworks

access-list 172 permit tcp any any gt 1023 established
access-list 172 deny ip 192.168.255.0 0.0.0.255 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

But, that would only work for tcp services. The only other solution I could think of would involve NAT.

 

[helpdeskdan]

access-list 172 permit icmp any any echo-reply
access-list 172 permit tcp any any gt 1023 established
access-list 172 deny ip 192.168.255.0 0.0.0.255 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

Now you can ping too.

 

[omcakuma]

ok, this seemed to do the trick!

interface Vlan192
ip address 192.168.255.1 255.255.255.0
ip access-group 172 in

access-list 172 permit tcp any any established
access-list 172 permit udp any any
access-list 172 permit icmp any any echo-reply
access-list 172 deny ip 192.168.255.0 0.0.0.255 172.20.0.0 0.0.3.255
access-list 172 permit ip any any

Thanks so much for your help Dan!

 

[omcakuma]

ok odd. everything seems to work correctly. vlan192 doesn't seem to be able to access vlan172 (pings, http, rdp, fileshares, etc). However 192 is still able to query 172 for dns lookups. Anyway to stop this too?

 

[helpdeskdan]

DNS? Where is your DNS server located?