Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Cisco 871 VLANs / ACLs

Reply
Thread Tools

Re: Cisco 871 VLANs / ACLs

 
 
bod43
Guest
Posts: n/a
 
      02-18-2011
On Thursday, February 17, 2011 8:14:23 PM UTC, Doug McIntyre wrote:
> Vincent <(E-Mail Removed)> writes:


> > I want to create an ACL that permits ALL traffic
> >(including return traffic) to transit between Vlan1 and Vlan2 if that
> >traffic originates in Vlan1. I want NO traffic (except for return
> >traffic) to transit between Vlan2 and Vlan1. Is there an easy way to
> >accomplish this?

>
> ACL's don't have state. They can't track sessions to say this traffic
> originated here, and to let it back through.


hmmm - reflexive ACLs do though

vlan1 >--ALL-unrestricted--> vlan2
vlan1 <--return-only-------< vlan2

I would do this - NOT tested all from memory so beware.

Put a "deny ip any any" access list on vlan2
Put an inspect out statement on vlan2. This will
allow return traffic by punching dynamic "holes" in the ACL.


ip inspect name INS.vlan2inspect tcp
ip inspect name INS.vlan2inspect udp
ip inspect name INS.vlan2inspect icmp
! might be enough for you but won't allow IPSEC
! or active ftp for example.

int vlan2
ip access-group ACL.deny-all
ip inspect INS.vlan2inspect out


ip access-list extended ACL.deny-all
10 deny ip any any


You can also consider reflexive access lists.
These create "reflected" or mirror image dynamic access
lists to allow return traffic.

One inspect gottcha that I recall is that
ip inspect name XXX http
blocks java - that is what it does.

When messing with ACLs that could cut you off from the router
it's worth considering "reload in 20"/"reload cancel".
Please don't forget the cancel before the router
reloads itself - I have and it's not pretty


 
Reply With Quote
 
 
 
 
Vincent
Guest
Posts: n/a
 
      02-18-2011
On Feb 18, 9:13*am, bod43 <(E-Mail Removed)> wrote:
> On Thursday, February 17, 2011 8:14:23 PM UTC, Doug McIntyre wrote:
> > Vincent <(E-Mail Removed)> writes:
> > > I want to create an ACL that permits ALL traffic
> > >(including return traffic) to transit between Vlan1 and Vlan2 if that
> > >traffic originates in Vlan1. *I want NO traffic (except for return
> > >traffic) to transit between Vlan2 and Vlan1. *Is there an easy way to
> > >accomplish this?

>
> > ACL's don't have state. They can't track sessions to say this traffic
> > originated here, and to let it back through.

>
> hmmm - reflexive ACLs do though
>
> vlan1 >--ALL-unrestricted--> vlan2
> vlan1 <--return-only-------< vlan2
>
> I would do this - NOT tested all from memory so beware.
>
> Put a "deny ip any any" access list on vlan2
> Put an inspect out statement on vlan2. This will
> allow return traffic by punching dynamic "holes" in the ACL.
>
> ip inspect name INS.vlan2inspect tcp
> ip inspect name INS.vlan2inspect udp
> ip inspect name INS.vlan2inspect icmp
> ! might be enough for you but won't allow IPSEC
> ! or active ftp for example.
>
> int vlan2
> ip access-group ACL.deny-all
> ip inspect INS.vlan2inspect out
>
> ip access-list extended ACL.deny-all
> *10 deny ip any any
>
> You can also consider reflexive access lists.
> These create "reflected" or mirror image dynamic access
> lists to allow return traffic.
>
> One inspect gottcha that I recall is that
> * *ip inspect name XXX http
> blocks java - that is what it does.
>
> When messing with ACLs that could cut you off from the router
> it's worth considering "reload in 20"/"reload cancel".
> Please don't forget the cancel before the router
> reloads itself - I have and it's not pretty


Yes, I was thinking that reflexive ACL's might work. I should have
some time later this evening to do some experimentation with your
suggestions. I will let you know how it works out.

Thanks!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco 871 VLANs / ACLs Vincent Cisco 1 02-17-2011 08:14 PM
Cisco 871 SDM Problem Kronos Cisco 2 11-04-2008 03:49 PM
Cisco 871 Multiple Vlans on single SSID ajdaniels Cisco 1 07-17-2007 03:50 PM
Windows - Browsing across vlans and also DC's on separate vlans punisher Cisco 2 11-17-2005 03:41 PM
question about Mapping 802.1Q VLANs to ISL VLANs ilya@3ka.mipt.ru Cisco 0 01-11-2005 02:42 PM



Advertisments