Skip to main content

ACL+VLAN Interfaces

More
16 years 8 months ago #25389 by gijo002255
I have 3 VLAN, VLAN10 - 192.168.10.0/24, VLAN20 - 192.168.20.0/24, VLAN30 - 192.168.30.0/24
I configured VLAN interface IP for all VLAN's with Inter VLAN Routing
VLAN10 - 192.168.10.1/24
VLAN20 - 192.168.20.1/24
VLAN30 - 192.168.30.1/24
Can anyone provide configuration for the folowing requirements
1. To deny traffic coming from VLAN10 to VLAN20 but allow traffic coming from VLAN20 to VLAN10
2. To Allow only http traffic from VLAN10 and VLAN20 to VLAN30
3. Allow access to this specific Host 192.168.30.100 to any host in VLAN10, VLAN20
4. I have a DHCP configured on the 6500 for the 3 VLAN's, All hosts in their respective networks should get their IP address from the DHCP server.( Basically DHCP server communication should not be blocked)
Thank you in advance.


I applied the acl to vlan20 interface(ip access-group aclno: in) , When I ping from 192.168.10.2 to 192.168.20.0 , i get request timed out. But When I ping from 192.168.20.0 to 192.168.10.0, I get dest net unreachable where I should be getting replies. Why I am not able to ping from 20.0 to 10.0. ?
More
16 years 8 months ago #25421 by havohej
Replied by havohej on topic Re: ACL+VLAN Interfaces
Here goes:


int VLAN10
ip add 192.168.10.1 255.255.255.0
ip access-group FROMVLAN10-TO-VLAN20&30 in

int VLAN20
ip add 192.168.20.1 255.255.255.0
ip access-group FROMVLAN20-TO-VLAN10&30 in


int VLAN30
ip add 192.168.30.1 255.255.255.0
ip access-group FROMVLAN30-TO-VLAN10&20 in


ip access-list extended FROMVLAN10-TO-VLAN20&30
evaulate REFLEX-ACL
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 80
permit ip 192.168.10.0 0.0.0.255 host 192.168.30.100
permit udp 192.168.10.0 any eq bootpc
permit udp 192.168.10.0 any eq bootps
permit ip 192.168.10.0 0.0.0.255 host 192.168.10.1


ip access-list extended FROMVLAN20-TO-VLAN10&30
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 reflect REFLEX-ACL
permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 80
permit ip 192.168.20.0 0.0.0.255 host 192.168.30.100
permit udp 192.168.20.0 any eq bootpc
permit udp 192.168.20.0 any eq bootps
permit ip 192.168.20.0 0.0.0.255 host 192.168.20.1

ip access-list extended FROMVLAN30-TO-VLAN10&20
permit tcp 192.168.30.0 0.0.0.255 eq 80 192.168.10.0 0.0.0.255
permit ip host 192.168.30.100 192.168.10.0 0.0.0.255
permit tcp 192.168.30.0 0.0.0.255 eq 80 192.168.20.0 0.0.0.255
permit ip host 192.168.30.100 192.168.20.0 0.0.0.255
permit udp 192.168.30.0 any eq bootpc
permit udp 192.168.30.0 any eq bootps
permit ip 192.168.30.0 0.0.0.255 host 192.168.30.1



You are getting blocked while applying the acl?? Maybe you are sourcing your telnet connection to the switch from a pc in the Vlan 20. So to not Get Blocked again you must permit the TELNET TRAFFIC sourced from your pc to the switch so you Not get blocked again, you must add an entry like this one:

ip access-list extended FROMVLAN20-TO-VLAN10&30
200 permit ip host x.x.x.x 192.168.20.1 eq telnet

where x.x.x.x is your pc ip address (located in vlan 20 I suppose!)


I added also an extra permit statement to each acl so all hosts within each subnet can talk with the vlan ip address of the switch belonging to the same subnet where the host are connected. dont know if the switch is the default gateway or not.


I recommend you pasting this configs in a lab and test it with all your polithics mentioned before enabling this in the production switch.
More
16 years 8 months ago #25442 by gijo002255
Replied by gijo002255 on topic Re: ACL+VLAN Interfaces
Thank you for replying,

I applied the acl to vlan20 interface(ip access-group aclno: in) , When I ping from 192.168.10.2 to 192.168.20.0 , i get request timed out. But When I ping from 192.168.20.0 to 192.168.10.0, I get dest net unreachable where I should be getting replies. Why I am not able to ping from 20.0 to 10.0. ?
Time to create page: 0.126 seconds