1. Home
  2. Cisco Systems
  3. TRICKY VLAN ACL issues (reflexive VACLs!!!)

TRICKY VLAN ACL issues (reflexive VACLs!!!)

Hi All,

if anyone can advise me about this I'd be most appreciative - mainly because there is almost nothing regarding it on the web/cisco site....

Our objective is to 'protect' our VLAN 30. Basically, we have cloned 'live' machines into this VLAN and cannot allow them to talk to the real live servers. Our intention is to ringfence VLAN 30 so that no traffic can escape, unless its return traffic from a established tcp session instigated from another VLAN. Apparently 'reflexive ACLs' are the way to go, but I cannot find anything at all about doing 'reflexive VLAN ACLs' which is what we need in this instance.

So, to summerise, Im trying to do the following:

a) allow traffic into (and back from) VLAN 30 (10.100.0.0/24) when initiated from live user/server subnets. For example, MS terminal servers (tcp 3389) traffic. b) block all 'outgoing' ip traffic initiated from VLAN 30 to the live user/server subnets.

Here's the config that I've put on the swithes which 'see' VLAN 30 traffic currently...but the config doesn=92t work :(

vlan access-map protectvlan30 10 match ip address vlan30in action forward

vlan access-map protectvlan30 15 match ip address vlan30return action forward

vlan access-map protectvlan30 20 match ip address vlan30out action drop

vlan filter protectvlan30 vlan-list 30

ip access-list extended vlan30in permit ip 172.16.21.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.30.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.100.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.250.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.200.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 172.16.201.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic permit ip 10.0.150.0 0.0.0.255 10.100.0.0 0.0.0.255 reflect returntraffic

ip access-list extenden vlan30return evaluate returntraffic

ip access-list extended vlan30out permit ip 10.100.0.0 0.0.0.255 172.16.21.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.30.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.100.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.250.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.200.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 172.16.201.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 10.0.150.0 0.0.0.255

thanks, Trevor

Reply to
jagg
Loading thread data ...

I may be missing something here however:-

Its not clear from your info but if you want to have a whole VLAN with subnet seperated then you can apply a normal (reflexive) access list to the SVI.

vlan 30 ip address x.x.x.x x.x.x.x ip access-group ........

One thing is that if there is a lot of traffic you may need to check that the ACL features that you are using are supported in hardware.

Depending on your platform/feature set you may be able to use the firewall features. This is available on routers but I am not sure about switches.

You put an ip deny any any on the interface inbound and then an inspect outbound . This lets return traffic in.

ip inspect

Reply to
bod43

Reply to
fugettaboutit

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.