S- Series deny all incoming traffic by ACL

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hello,

I have about 20 vlans on my network. I dont want anyone to reach vlan 10 from anywhere, but vlan 10 can reach anywhere. 

Can someone please send me an example ACL that can do this?


ip access-list extended 120
deny ip source 100.100.0.0 255.255.240.0
deny ip source 100.100.18.0 255.255.224.0
permit any any

interface vlan 10
ip-access-group 120 in

Does this work? Where the vlan 10 is 100.100.16.0/23.

Thanks,
Best Regards
Photo of Erhan YILDIZ

Erhan YILDIZ

  • 180 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hi Erhan,

I believe that ACL will block any reply from those subnets.

Example:

If you ping from 100.100.16.10 to 100.100.18.10, then the ICMP request will egress the vlan 10 and reach the destination. Then the icmp reply will have the source as 100.100.18.10 and would be blocked by the ACL.

You can try the following to confirm that:

ip access-list extended 120
permit icmp source 100.100.18.0 255.255.224.0
deny ip source 100.100.0.0 255.255.240.0
deny ip source 100.100.18.0 255.255.224.0
permit any any

interface vlan 10
ip-access-group 120 in

Then just ping from any 100.100.18.0/19 address to v10
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hello Erhan,

your ACL 120 would stop VLAN 10 end systems from using the IP addresses in the two ranges you specified (specific anti-spoofing). I do not think that is what you want.

To allow communication initiated from inside VLAN 10, but deny connection establishment from outside to VLAN 10, in general requires a stateful firewall.

Sometimes a stateless packet filter on a switch is sufficient. For TCP connections you can use the "established" keyword to allow replies. You might need to allow additional traffic in as well, e.g. ICMP Fragmentation required, and DF flag set for path MTU discovery, ICMP echo reply to test connectivity, perhaps DHCP server messages, DNS, and whatever else you may need for the end systems to work.

The starting example would be:
ip access-list extended 120
permit tcp any any established
interface vlan 10
ip access-group 120 out
Note that this ACL is configured outbound on the VLAN 10 SVI to affect packets entering VLAN 10 from some other routed interface.

Br,
Erik