This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

S- Series deny all incoming traffic by ACL

S- Series deny all incoming traffic by ACL

Erhan_YILDIZ
New Contributor

‎05-17-2016 05:51 PM

Hello,

I have about 20 vlans on my network. I dont want anyone to reach vlan 10 from anywhere, but vlan 10 can reach anywhere.

Can someone please send me an example ACL that can do this?

ip access-list extended 120
deny ip source 100.100.0.0 255.255.240.0
deny ip source 100.100.18.0 255.255.224.0
permit any any

interface vlan 10
ip-access-group 120 in

Does this work? Where the vlan 10 is 100.100.16.0/23.

Thanks,
Best Regards
0 Kudos
2 REPLIES 2

Erik_Auerswald
Contributor II

‎05-18-2016 06:12 AM

Hello Erhan,

your ACL 120 would stop VLAN 10 end systems from using the IP addresses in the two ranges you specified (specific anti-spoofing). I do not think that is what you want.

To allow communication initiated from inside VLAN 10, but deny connection establishment from outside to VLAN 10, in general requires a stateful firewall.

Sometimes a stateless packet filter on a switch is sufficient. For TCP connections you can use the "established" keyword to allow replies. You might need to allow additional traffic in as well, e.g. ICMP Fragmentation required, and DF flag set for path MTU discovery, ICMP echo reply to test connectivity, perhaps DHCP server messages, DNS, and whatever else you may need for the end systems to work.

The starting example would be:
ip access-list extended 120
permit tcp any any establishedinterface vlan 10
ip access-group 120 outNote that this ACL is configured outbound on the VLAN 10 SVI to affect packets entering VLAN 10 from some other routed interface.

Br,
Erik
0 Kudos

Henrique
Extreme Employee

‎05-17-2016 06:35 PM

Hi Erhan,

I believe that ACL will block any reply from those subnets.

Example:

If you ping from 100.100.16.10 to 100.100.18.10, then the ICMP request will egress the vlan 10 and reach the destination. Then the icmp reply will have the source as 100.100.18.10 and would be blocked by the ACL.

You can try the following to confirm that:

ip access-list extended 120
permit icmp source 100.100.18.0 255.255.224.0
deny ip source 100.100.0.0 255.255.240.0
deny ip source 100.100.18.0 255.255.224.0
permit any any

interface vlan 10
ip-access-group 120 in

Then just ping from any 100.100.18.0/19 address to v10
0 Kudos
GTM-P2G8KFN