topic Re: Need help wih ACL and VLAN in Switches, Hubs, and Modems

Need help wih ACL and VLAN

Alen Ahja — Mon, 28 Aug 2006 08:04:24 GMT

Hi @ all,

We have at a side a 5300xl Switch with 5 VLAN.
On of them is the R&D VLAN (VLAN ID=1303).
We want now that only one host of this VLAN can send eMails to one other host.
Then all other VLANs must have access to this VLAN.

We get the follwing ACL:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
exit

ip access-list extended "101"
permit ip 0.0.0.0 255.255.255.255 192.168.116.0 0.0.0.255
exit

In the specific VLAN (R&D) we entered:

ip access-group "100" in
ip access-group "101" out

The effect is that only the one host can send eMails but all other have no contact to this VLAN.

How can we resolve it?

Thanx for help.

Kind Regards

Alen

Re: Need help wih ACL and VLAN

Matt Hobbs — Mon, 28 Aug 2006 11:00:34 GMT

What I believe you need is the 'established' keyword on your 101 ACL. Unfortunately the 5300 does not support this command. The newer products like the 5400/3500 do however.

At the moment a packet comes in from another VLAN and passes the 101 ACL, it is the return traffic that has to pass ACL 100 that gets denied.

Re: Need help wih ACL and VLAN

Mohieddin Kharnoub — Mon, 28 Aug 2006 12:00:46 GMT

Hi

I believe what you did in ACL 100, permit host to host emails, then deny this vlan other traffic, and i think thats enough for this vlan, so why don;t you allow other traffic by adding : "permit ip any any" to end of this ACL100.
Otherwise, no need for the last line: deny ip 192.168.116.0 0.0.0.255 any , because ACLs end with explicit deny, so even if your ACL100 like this

Hi @ all,

We have at a side a 5300xl Switch with 5 VLAN.
On of them is the R&D VLAN (VLAN ID=1303).
We want now that only one host of this VLAN can send eMails to one other host.
Then all other VLANs must have access to this VLAN.

We get the follwing ACL:

ip access-list extended "100" permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
exit

It will work with you like its working now.

Good Luck !!!

Re: Need help wih ACL and VLAN

Alen Ahja — Mon, 28 Aug 2006 12:07:38 GMT

Hi Mohieddin,

did you mean this config?:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
permit ip any any
exit

We don't want that the hosts in the VLAN 1303 will have access to other VLAN. Only this one host must have it.

But all the othe other VLANS must have access to this VLAN (1303).

Alen

Re: Need help wih ACL and VLAN

Alen Ahja — Mon, 28 Aug 2006 12:09:04 GMT

Hi Matt,

so you think there won't be a solution for our scenario?

Kind Regards

Alen

Re: Need help wih ACL and VLAN

Mohieddin Kharnoub — Mon, 28 Aug 2006 12:12:33 GMT

Hi

No at all, i didn;t say that man :)
What i said is: i believe you need just to add permit ip any any.
OR
if you want to keep your configuration, then delete deny, because it follows by deny ip any any at anyway.

Good Luck !!!

Re: Need help wih ACL and VLAN

Mohieddin Kharnoub — Mon, 28 Aug 2006 12:20:40 GMT

Hi

Can you try this:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Good Luck !!!

Re: Need help wih ACL and VLAN

Matt Hobbs — Mon, 28 Aug 2006 12:33:37 GMT

I believe that what I said is accurate, as you have stated:

"We don't want that the hosts in the VLAN 1303 will have access to other VLAN. Only this one host must have it.

But all the other VLANS must have access to this VLAN (1303)."

For this type of scenario you need the 'established' option.

'reflexive' ACL's are even more powerful.

This article below has helped me understand ACL's a little better, I think it's worthwhile reading:

http://www.informit.com/articles/article.asp?p=376258&seqNum=1&rl=1

Re: Need help wih ACL and VLAN

Alen Ahja — Mon, 28 Aug 2006 15:20:43 GMT

Hi Mohieddin,

I will try this tomorrow, when I will be back on the office.
I will report the result here.

Thanx for help.

Regards

Alen

Re: Need help wih ACL and VLAN

Alen Ahja — Tue, 29 Aug 2006 02:47:10 GMT

Hi!

I tested it which the config which you send me:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

The Result is, that I can send eMails from the host but I don't have any access from the other VLAN into this.

Alen

Re: Need help wih ACL and VLAN

Mohieddin Kharnoub — Wed, 30 Aug 2006 05:21:53 GMT

Hi

Would you attach the config of your switch.

Good Luck !!!