acl to separate VLANs 3550

Discussion in 'Cisco' started by MasterOfComboBoxes, Oct 1, 2007.

  1. Dear all,

    I have a problem understanding the acls applied to my 3550 L3-Switch
    SMI.

    I want to separate different VLANs on the 3550 enabled for routing.
    VLAN 10 = 192.168.10.0 255.255.255.0
    VLAN 20 = 192.168.20.0 255.255.255.0

    The Default Gateways are the L3 SVI interface 192.168.10.254 and
    192.168.20.254

    If I apply below acl inbound to the SVI of VLAN20

    ip access-group 120 in

    I can still ping from 10 to 20 and vice versa.

    I have added a similar acl for subnet/VLAN 10.
    Same effect.

    If I apply it to in and out. Access is effectively blocked.
    ip access-group 120 in
    ip access-group 120 out

    Why does it not already work if I apply it inbound only??

    I already checked the TCAM usage which is reported to show problems
    with the 3550. There are still enough free and the switch is
    processing in hardware.

    Thanks for your hints,
    Alex


    int vlan 20
    ip address 192.168.20.254 255.255.255.0
    ip access-group 120 in

    ip access-list extended 120
    remark ---------------------------
    remark Access to VLAN 20
    remark allow DHCP
    permit udp any any eq bootpc
    permit udp any any eq bootpS
    remark -
    remark Access from the switch' L3 SVI, the Gateway itself
    permit ip 192.168.20.0 0.0.0.255 any
    remark Access from those VLANs
    permit ip 192.168.10.0 0.0.0.255 any
    exit
    MasterOfComboBoxes, Oct 1, 2007
    #1
    1. Advertising

  2. MasterOfComboBoxes

    Trendkill Guest

    On Oct 1, 6:02 am, MasterOfComboBoxes <>
    wrote:
    > Dear all,
    >
    > I have a problem understanding the acls applied to my 3550 L3-Switch
    > SMI.
    >
    > I want to separate different VLANs on the 3550 enabled for routing.
    > VLAN 10 = 192.168.10.0 255.255.255.0
    > VLAN 20 = 192.168.20.0 255.255.255.0
    >
    > The Default Gateways are the L3 SVI interface 192.168.10.254 and
    > 192.168.20.254
    >
    > If I apply below acl inbound to the SVI of VLAN20
    >
    > ip access-group 120 in
    >
    > I can still ping from 10 to 20 and vice versa.
    >
    > I have added a similar acl for subnet/VLAN 10.
    > Same effect.
    >
    > If I apply it to in and out. Access is effectively blocked.
    > ip access-group 120 in
    > ip access-group 120 out
    >
    > Why does it not already work if I apply it inbound only??
    >
    > I already checked the TCAM usage which is reported to show problems
    > with the 3550. There are still enough free and the switch is
    > processing in hardware.
    >
    > Thanks for your hints,
    > Alex
    >
    > int vlan 20
    > ip address 192.168.20.254 255.255.255.0
    > ip access-group 120 in
    >
    > ip access-list extended 120
    > remark ---------------------------
    > remark Access to VLAN 20
    > remark allow DHCP
    > permit udp any any eq bootpc
    > permit udp any any eq bootpS
    > remark -
    > remark Access from the switch' L3 SVI, the Gateway itself
    > permit ip 192.168.20.0 0.0.0.255 any
    > remark Access from those VLANs
    > permit ip 192.168.10.0 0.0.0.255 any
    > exit


    Not really sure why the IN and OUT breaks the traffic, but just IN
    does not work because your ACL is only either VLAN 10 or 20 to any
    destination. This means that when the SVI receives the packet INBOUND
    to the VLAN, it inspects for a source of VLAN 10 or 20, and obviously
    allows. When you apply to out, this is the SVI filtering traffic
    leaving the VLAN, and in this case (providing you are using the same
    ACL) it should work as the source in your tests is ALWAYS in VLAN 10
    or 20 (from what you have said).

    Overall, if you want to limit, you need to remember that your inbound
    and outbound statements should be opposite.

    OUT (presuming you don't want a different ACL for each SVI that only
    allows that single network)
    ANY 192.168.10.0
    ANY 192.168.20.0

    This would allow any traffic from inside the VLAN to a network that is
    listed. Traffic to any other place would go in the bit bucket.

    IN
    192.168.10.0 ANY
    192.168.20.0 ANY

    This means that only traffic from one of those two networks would be
    allowed into the VLAN.

    Overall, not sure what you are trying to accomplish here, as your
    title says separating vlans, and this is really opening the two to
    each other. If you want to separate, you deny 192.168.10.0 outbound
    to a destination of 192.168.20.0 and vice versa on the other interface.
    Trendkill, Oct 1, 2007
    #2
    1. Advertising

  3. MasterOfComboBoxes

    thort

    Joined:
    Sep 26, 2007
    Messages:
    35
    permit ip 192.168.20.0 0.0.0.255 any
    permit ip 192.168.10.0 0.0.0.255 any

    "Permit IP (any IP protocol, ICMP included) <your nets> (to) ANY (anywhere)" is what you put in your ACL, you shouldn't be surprised that you can ping across your router, becasue these two statement explicitly permit it.

    Sticking with inbound in this example, maybe you want (for VLAN20):
    ip access-group 120 in
    permit udp any any eq bootpc
    permit udp any any eq bootpS
    deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (deny vlan 20-->10)
    permit ip 192.168.20.0 0.0.0.255 any (permit vlan 20 towards everywhere else)
    thort, Oct 2, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nick
    Replies:
    1
    Views:
    1,360
  2. blu_aqua

    DHCP servers on separate VLANs

    blu_aqua, May 24, 2005, in forum: Cisco
    Replies:
    4
    Views:
    1,139
    Guest
    May 25, 2005
  3. punisher
    Replies:
    2
    Views:
    2,080
    Charles Deling
    Nov 17, 2005
  4. BigAndy

    Separate Tabs, Separate Sessions

    BigAndy, May 9, 2007, in forum: Firefox
    Replies:
    0
    Views:
    615
    BigAndy
    May 9, 2007
  5. BigAndy

    Separate Tabs, Separate Sessions

    BigAndy, May 9, 2007, in forum: Firefox
    Replies:
    0
    Views:
    597
    BigAndy
    May 9, 2007
Loading...

Share This Page