Block Traffic among two VLAN’s but only in one way, how to do that?
VLAN and VLAN configurations are very useful in all kinds of different ways. This configuration will be useful sooner or later for all network administrators out there.
It was a big challenge to resolve this tricky communication security requirement. The problem actually does not seem like a big deal but when you try to make it work you see that it is.
The goal was to make unidirectional communication filter between two VLANs. The request was to allow VLAN 10 to access VLAN 20 but not the opposite. The computers from VLAN 10 needed to access resources in VLAN 20 normally but computers from VLAN 20 had to be prevented to access VLAN 10.
There is a special type of Access list called reflexive.
This kind of access list will allow traffic from one VLAN to another only if the communication is established in other direction before that. It can’t be used for IP traffic but only for every protocol separately so you will need to use more rows in ACL to allow TCP, ICPM etc, but it will solve your problem.
Here is how is done:
Let’s say that you have two VLANs: VLAN 10 and VLAN 20.
VLAN 10 INTERFACE = 10.10.10.1 /24
VLAN 20 INTERFACE = 10.10.20.1 /24
VLAN 10 can access VLAN 20 but, VLAN 20 can’t access VLAN 10. That was the whole problem, to allow access only in one direction.
To be able to do so, you need to let the traffic from VLAN 10 go to VLAN 20 but you need also to let this communication to go back to VLAN 10 in order to close the communication bidirectional functionality. Almost every communication needs to get back to the source in order to make the circle functional.
But, if you allow this communication to go back to VLAN 10, you will alow all the communication in both ways, and this is the problem that we can solve using reflexive ACLs.
We will make extended named ACL with name EASYONE:
ip access-list extended EASYONE permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established
- The work established at end of this ACL row means that this TCP traffic from VLAN 20 to VLAN 10 will only be allowed when it’s some communication that was started from VLAN 10, a going back traffic.
permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply
- This echo-reply row will allow VLAN 20 to reply to ping and other ICMP requests
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip any any
- This row will deny all other traffic from VLAN 20 directed to VLAN 10 but with permit ip any any it will allow VLAN 20 to go let say to the gateway and further to the internet and other VLANs.
Finally, we will put the ACL EASYONE to VLAN 20 L3 interface
interface vlan 20 ip access-group EASYONE in
To conclude the config without comments, indeed easy now when is done:
ip access-list extended EASYONE permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established permit icmp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip any any exit interface vlan 20 ip access-group EASYONE in
The credit for the solution goes to my mentor and friend Sandra who did the configuration and lab for it but more than that she came out with the established word at end of the ACL and whole reflexive ACL solution.
Thanks Sandra!! and thanks Valter!
I will lab this up and see if it would work for an ipsec tunnel
Really wonderful concept brought out… Awesome performance
Extremely thankful to you that you shared such wonderful concept. The configuration works fine.
YOU ARE LEGEND!
When I put the entries in, for some strange reason when I check the config it is showing the ips i set as 0.0.0.0 see below:
ip access-list extended EASYONE
permit tcp 0.0.0.0 255.255.255.0 0.0.0.0 255.255.0.0 established
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.0.0
permit icmp 0.0.0.0 255.255.255.0 0.0.0.0 255.255.0.0 echo-reply
Anyone have any idea why it does that?
Ok also, I’m trying to permit all ip traffic not block just an FYI
In ordinary Cisco IOS you should use wildcard mask not subnet mask. That’s the reason of your addresses turning to 0.0.0.0
Hope this helps,
Ok so I did the wildcard mask. I’m still unable to get communication working both ways. If anyone could help that would be greatly appreciated. I am able to ping both Vlans from each other, but I cannot get any internal web traffic on the second Vlan.
My setup and config are as follows:
I have a web server on a host at address 10.1.1.13
Vlan1: 10.1.0.0/16 subnet
Vlan1000: 192.168.57.0/24 subnet
interface Vlan1
ip address 10.1.1.50 255.255.0.0
interface Vlan1000
ip address 192.168.57.1 255.255.255.0
ip access-group EASYONE in
ip helper-address 10.1.1.34
ip access-list extended EASYONE
permit tcp host 192.168.57.0 host 10.1.0.0 established
permit ip host 192.168.57.0 host 10.1.0.0
permit icmp any any echo-reply
Thanks for the help.
I forgot to mention that I am able to get outside websites with the vlan1000
You are using host inside ACLs so there should be host addresses inside that ACL not network address.
Try this:
ip access-list extended EASYONE
permit tcp host 192.168.57.yourPCIP host 10.1.1.13 established
permit ip host 192.168.57.yourPCIP host 10.1.1.13
permit icmp any any echo-reply
Or this:
ip access-list extended EASYONE
permit tcp 192.168.57.0 0.0.0.255 10.1.0.0 0.0.255.255 established
permit ip 192.168.57.0 0.0.0.255 10.1.0.0 0.0.255.255
permit icmp any any echo-reply
I tried the second one and still no go, it now also broken the external webpage connections. Only ping works.
I’m not sure what is your goal here but maybe you just applied the ACL in the wrong direction.
Try this:
ip access-list extended EASYONE
permit tcp 10.1.0.0 0.0.255.255 192.168.57.0 0.0.0.255 established
permit ip 10.1.0.0 0.0.255.255 192.168.57.0 0.0.0.255
permit icmp any any echo-reply
And another thing.
You should probably apply this ACL on interface vlan 1 and not interface vlan 1000
so:
ip access-list extended EASYONE
permit tcp 10.1.0.0 0.0.255.255 192.168.57.0 0.0.0.255 established
permit ip 10.1.0.0 0.0.255.255 192.168.57.0 0.0.0.255
permit icmp any any echo-reply
interface Vlan1
ip address 10.1.1.50 255.255.0.0
ip access-group EASYONE in
interface Vlan1000
ip address 192.168.57.1 255.255.255.0
ip helper-address 10.1.1.34
My fear is if i make that change on the main Vlan that all users are connected to, it will kill internet connections since it seems that is what has been happening to vlan1000. Also judging by your example above the access-list is to be put on the secondary Vlan. My goal in this is to allow users on subnet 192.168.57.0 to access all services on 10.1.0.0 as well as the internet.
Your goal as you described it here doesn’t need any access list. What are you trying to prevent?
My last suggestion should work fine although it’s always smart not to test those thing in the production environment.
Perhaps GNS3, VIRL?
And that’s what we thought as well, but for some reason we can hit outside web servers but cannot hit internal (10.1.0.0 network) web servers from the 192.168.57.0 subnet and we cannot hit web servers on the 192.168.57.0 network from the 10.1.0.0 network.
As well that ACL did kill the switch, but luckily no internal connections we lost since we have a redundant switch setup to catch that.
Another odd thing is I can hit a web server from outside the office (on the vpn) that is hosted on the 192.168.57.0 network. I’m now going through my firewall config as it may have something in there.
If without ACL applied your communication is not working between two subnets then you have some routing configuration issues.
There is one problem.
On my router i don’t have interface vlan $numer, but at the switch I can’t use command “ip access-group $name in”
How can I do it?
Hi Slawek,
VLAN interfaces are typically available on L3 switches and there are not available on routers. To get VLAN traffic tagged when sent from a router we are using dot1q tag dedicated to subinterface of router physical interface. By adding more subinterfaces we are adding support for more VLANs across that trunk link. Just keep in mind that configuration of the switch on the other side of that link must be trunk too and with all those VLANs allowed. I made a proceeding blog about this same reflexive access list topic using a router so you can see how subinterfaces are used. The article can be found > HERE
Hope this helps 😉
it’s stop traffic in both way
Hi Ahmed, I tried one more time and it works as described. Just to be sure and to give you more info I documented my new try from today HERE
I am looking for this solution! Solved my ACL problems
Hi Valter,
Thanks for sharing it with us, really appreciated.
Is there anything can be done from VLAN10 prospective, let me explain myself.
Lets assume VLAN10 should have an access to all other VLANS in the network however no other VLAN should be able to connect to VLAN10.
In your example, it seems that the configuration needs to be applied in all other VLANS to restrict not to connect to VLAN10 and I have multiple other VLANS which will be a real task to configure an access-list for each other LIVE SVI in the switch.
Is there anything can be done from VLAN10 side to make the unidirectional traffic work.
Kind Regards
Just to update, I have tried above solution and it doesn’t work on Cisco 3850 Switches as reflexive ACL’s doesn’t look compatible with 3850’s. Thanks
Hi Faisal,
Yes you are right, thanks for the update and a useful info..
It’s official from cisco.com:
from https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0111001.html#concept_896E426C1E5E40D18F46C16087F87F0F
Your a legend bro
Wondering if and how I could do something similar or if this would solve my issue… Here is my dilemna…
Trying to get paper documents that get scanned on a very restrictive network MFP/Scanner (lets say this scanner resides on the 192.168.1.0 network and uses vlan 100) That is the setup for the day to day operations of almost all printing and scanning that needs to get done in Office A.
Manager Kimmie of Office A also has a requirement to be able to get lare masses of paper documents scanned onto a machine that is in a DMZ style environment due to HIPAA/PII that currently takes insane amounts of time to scan in on network 192.168.1.0, wait crazy times for the network to scan the file(s) and allow them to be opened on a computer on 192.168.1.0, broken down into individual pages in pdf, then uploaded via Remote desktop from the 192.168.1.0 computer to the 192.168.172.0 computer into the database they need to go into, and all the while uploading takes minutes…not seconds per page to upload and transfer. This very specific database and its host computer are on 192.168.172.0 using vlan 500…
I need to see if your example here would allow unidirectional traffic only from the MFP/Scanner to a singular folder on C:/Users/Public/Public Desktop on that special computer on 192.168.172.0, and not allowing any traffic whatsoever from 172.0 back to 1.0, but also would still allow the printer to scan documents to the 192.168.1.0 network too…
I understand this would take the L3 switching commands, and probably a couple clicking buttons on the printer management screen…. not afraid of that if this would work