Block Traffic among two VLAN’s but only in one way, how to do that?
VLAN and VLAN configurations are very useful in all kinds of different ways. This configuration will be useful sooner or later for all network administrators out there.
It was a big challenge to resolve this tricky communication security requirement. The problem actually does not seem like a big deal but when you try to make it work you see that it is.
The goal was to make unidirectional communication filter between two VLANs. The request was to allow VLAN 10 to access VLAN 20 but not the opposite. The computers from VLAn 10 needed to access resources in VLAN 20 normally but computers from VLAN 20 had to be prevented to access VLAn 10.
Actually there is a simple solution. I needed a lot of time to get to this and I didn’t get to the solution by myself, it was a team think work you can say. So it’s worth sharing.
There is a special type of Access list called reflexive.
This kind of access list will allow traffic from one VLAN to another only if the communication is established in other direction before that. It can’t be used for IP traffic but only for every protocol separately so you will need to use more rows in ACL to allow TCP, ICPM etc, but it will solve your problem.
Here is how is done:
Let’s say that you have two VLANs: VLAN 10 and VLAN 20.
VLAN 10 INTERFACE = 10.10.10.1 /24
VLAN 20 INTERFACE = 10.10.20.1 /24
VLAN 10 can access VLAN 20 but, VLAN 20 can’t access VLAN 10. That was the whole problem, to allow access only in one direction.
To be able to do so, you need to let the traffic from VLAN 10 go to VLAn 20 but you need also to let this communication to go back to VLAn 10 in order to close the communication bidirectional functionality. Almost every communication needs to get back to source in order to make the circle functional.
But, if you allow this communicaton to go back to VLAN 10, you will alow all the communication in both ways, and this is the problem that we can solve using reflexive ACLs.
We will make extended named ACL with name EASYONE:
ip access-list extended EASYONE permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established
- The work established at end of this ACL row means that this TCP traffic from VLAN 20 to VLAN 10 will only be allowed when it’s from some communication that was started from VLAN 10, a going back traffic.
permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply
- This echo-reply row will allow VLAN 20 to reply to ping and other ICMP requests
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip any any
- This row will deny all other traffic from VLAN 20 directed to VLAN 10 but with permit ip any any it will allow VLAN 20 to go let say to gateway and further to internet and other VLANs.
Finally, we will put the ACL EASYONE to VLAN 20 L3 interface
interface vlan 20 ip access-group EASYONE in
To conclude the config without comments, indeed easy now when is done:
ip access-list extended EASYONE permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip any any exit interface vlan 20 ip access-group EASYONE in
The credit for the solution goes to my mentor and friend Sandra who did the configuration and lab for it but more than that she came out with the established word at end of the ACL and whole reflexive ACL solution.