Wired Intelligent Edge (Campus Switching and Routing)

Create An ACL To Allow Unidirectional Communication Between Multiple VLANs

MVP
MVP
Q:

How can I create an ACL to allow unidirectional traffic in a VLAN?

I want to create a VLAN that blocks traffic in only one direction.



A:

Issue:  Block traffic in the Untrusted VLAN in only one direction.

  1. Allow devices in the Untrusted VLAN to access the Internet. 
  2. Do not allow these untrusted devices to communicate with anything else outside their own VLAN.
  3. However, allow devices from all other VLANs to initiate communications with devices in the Untrusted VLAN.

Solution:

In this example, there will be three VLANs:
VLAN 10 – 192.168.10.x /24 (Server VLAN)
VLAN 20 – 192.168.20.x /24 (Workstations VLAN)
VLAN 30 – 192.168.30.x /24 (Untrusted VLAN)

IP Routing is enabled on the switch to allow all VLANs to communicate with each other.

Goal:
VLAN 30 (Untrusted VLAN) should only allow traffic to the Internet and cannot access devices in any other VLAN.
All other VLANs (10 and 20) should be able to ping and initiate traffic (such as RDP) to devices in VLAN 30.

In order to accomplish this, you need to allow communications from other VLANS back into VLAN 30 in order to allow bidirectional functionality.

  1. Start by making an extended ACL.  Here is an extended ACL called UNTRUSTED which will allow bidirectional traffic that is initiated from VLANs 10 and 20.

    ip access-list extended UNTRUSTED
    permit tcp 192.168.30.0 0.0.0.255 any established
     
  • The word “established” at the end of this ACL means that traffic initiated from anywhere outside of VLAN 30 is permitted and will allow VLAN 30 devices to communicate back to the initiator.
     
  1. Next allow the devices in VLAN 30 to reply to pings initiated from devices outside their VLAN.

permit icmp 192.168.30.0 0.0.0.255 any echo-reply

  • The “echo-reply” allows devices in VLAN 30 to reply to ping and other ICMP traffic requests.
     
  1. Next deny VLAN 30 traffic from going to the other VLANs

deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
 

  1. Next allow VLAN 30 traffic to get to the Internet

permit ip 192.168.30.0 0.0.0.255 any
 

  1. Next deny all other traffic (for more security)

deny ip any any

 

The “UNTRUSTED” ACL, should now look like this:

ip access-list extended UNTRUSTED
  permit tcp 192.168.30.0 0.0.0.255 any established
  permit icmp 192.168.30.0 0.0.0.255 echo-reply
  deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
  deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
  permit ip 192.168.30.0 0.0.0.255 any
  deny ip any any
 

  1. Apply this ACL inbound on VLAN 30

Interface vlan 30
ip access-group UNTRUSTED in
 

Version history
Revision #:
1 of 1
Last update:
‎03-30-2020 11:14 AM
Updated by: