Wired Intelligent Edge

I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices. The devices are on a switch switch in another closet connected to the core over a fiber trunk connection. Do I need to create the ACL on the core switches and also on the other switches? I have tried going into the vlan 20 and applying it in, but nothing was blocked. Appreciate any help.

Below is my ACL info 

Below is vlan 20 config on my 2930m Core switch stack. This is the vlan I am working on.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip igmp
exit

Remote 2930m switch stack config.for vlan 20 connected over fiber trunk to core switch stack.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/48,3/37
 no ip address
 ip igmp
 no ip igmp querier
exit

I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices. The devices are on a switch switch in another closet connected to the core over a fiber trunk connection. Do I need to create the ACL on the core switches and also on the other switches? I have tried going into the vlan 20 and applying it in, but nothing was blocked. Appreciate any help.

Below is my ACL info 

Below is vlan 20 config on my 2930m Core switch stack. This is the vlan I am working on.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip igmp
exit

Remote 2930m switch stack config.for vlan 20 connected over fiber trunk to core switch stack.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/48,3/37
 no ip address
 ip igmp
 no ip igmp querier
exit

"I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices."

As far as an Inbound ACL is concerned on ArubaOS-Switch operating system, the only way to reach your goal is to let the Core to control what goes out of the VLAN 20, called egressing traffic hitting the Core from the VLAN 20 itself (this traffic is seen by the Core side looking at devices hosted inside that VLAN Id so it is "incoming" from the Core standpoint even if you think at it like an outgoing traffic, so this is a traffic with source the VLAN 20 and destination other VLANs on the Core of your Network where IP Routing currently happens): the Core - in such scenario - can't control the incoming traffic hitting the VLAN 20 once this traffic originates on various other VLANs as internal sources (at least until you create for each one of those VLANs an appropriate Inbount ACL as done for the VLAN 20).

So the logic shoud be, as @vigan partly suggested you, to create an Inbound ACL for protecting the VLAN 20 (say you call that ACL like "VLAN-20") specifying what the VLAN 20 subnet/hosts can/can't connect to (specifically addressing what they are permitted to connect and explicitly denying what they aren't) and then create various other Inboud ACLs for protecting all other VLANs (managed by the Core) you don't want be able to specifically connect to VLAN 20.

The rule is that the traffic must be blocked NEARER its origin as possible (so on various other VLANs you don't want to be able to connect to the VLAN 20), not at destination (the VLAN 20). Once the traffic is permitted to hit the VLAN 20 your Core can control how the VLAN 20 answers to this requests (which is another theme).

There are then other consideration (like reflexive ACLs for icmp or tcp...) but, for now, the approach should be the one above.

I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices. The devices are on a switch switch in another closet connected to the core over a fiber trunk connection. Do I need to create the ACL on the core switches and also on the other switches? I have tried going into the vlan 20 and applying it in, but nothing was blocked. Appreciate any help.

Below is my ACL info 

Below is vlan 20 config on my 2930m Core switch stack. This is the vlan I am working on.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip igmp
exit

Remote 2930m switch stack config.for vlan 20 connected over fiber trunk to core switch stack.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/48,3/37
 no ip address
 ip igmp
 no ip igmp querier
exit

I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices. The devices are on a switch switch in another closet connected to the core over a fiber trunk connection. Do I need to create the ACL on the core switches and also on the other switches? I have tried going into the vlan 20 and applying it in, but nothing was blocked. Appreciate any help.

Below is my ACL info 

Below is vlan 20 config on my 2930m Core switch stack. This is the vlan I am working on.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip igmp
exit

Remote 2930m switch stack config.for vlan 20 connected over fiber trunk to core switch stack.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/48,3/37
 no ip address
 ip igmp
 no ip igmp querier
exit

I updated the acl and added the ip access-group line to the vlan on the core switch. If I try to connect to a web server on a device on that vlan I can still connect. Do you have to get granular with the protocols, etc.. in the ACL? I appreciate your help.

aclvlan20

 10 deny ip any 10.0.20.0 0.0.0.255
  20 permit ip any any

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip access-group "aclvlan20" in
 ip igmp
exit

I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices. The devices are on a switch switch in another closet connected to the core over a fiber trunk connection. Do I need to create the ACL on the core switches and also on the other switches? I have tried going into the vlan 20 and applying it in, but nothing was blocked. Appreciate any help.

Below is my ACL info 

Below is vlan 20 config on my 2930m Core switch stack. This is the vlan I am working on.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip igmp
exit

Remote 2930m switch stack config.for vlan 20 connected over fiber trunk to core switch stack.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/48,3/37
 no ip address
 ip igmp
 no ip igmp querier
exit

Hi!

Your question:

"Should I create an ACL on the other vlans with a line to block them from vlan 20?"

Should became:

"Should I create an ACL on the other vlans with a line to block them to reach the vlan 20?"

Answer: Yes, you should.

Example scenario on your Core Switch (doing IP Routing for its VLANs VLAN 10 and VLAN 20):

• VLAN 10 (Net Address: 10.0.10.0 /24 - SVI IP Address: 10.0.10.254)
• VLAN 20 (Net Address: 10.0.20.0 /24 - SVI IP Address: 10.0.20.254)

Create:

• ACL name to protect VLAN 10: ACL-VLAN-10
• ACL name to protect VLAN 20: ACL-VLAN-20

Direction to apply ACLs on each VLAN: Inbound.

== ACL-VLAN-10 (made to block egressing traffic from VLAN 10 to VLAN 20, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-10
10 remark "Deny VLAN 10 net to VLAN 20 net - IP traffic"
10 deny ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 10 with 10.0.20.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

== ACL-VLAN-20 (made to block egressing traffic from VLAN 20 to VLAN 10, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-20
10 remark "Deny VLAN 20 net to VLAN 10 net - IP traffic"
10 deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 20 with 10.0.10.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

Now...if your Core is the router of many other VLANs (say you have VLAN 10, 20, 30, 40 and so on...)...you should replicate the ACL-VLAN-10 structure to cope with that, at the point that you will have various other ACLs with a similar setup (avoid their egressing traffic to the VLAN 20). The ACL protecting the VLAN 20 needs other ACEs in order to deny its egressing traffic to those additional VLANs, example:

== ACL-VLAN-20 (made to block egressing traffic from VLAN 20 to VLAN 10 and VLAN 30, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-20
10 remark "Deny VLAN 20 net to VLAN 10 net - IP traffic"
10 deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 20 with 10.0.10.0 as destination network, mind you: ICMP is still permitted.
20 remark "Deny VLAN 20 net to VLAN 30 net - IP traffic"
20 deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 20 with 10.0.30.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

== ACL-VLAN-30 (made to block egressing traffic from VLAN 30 to VLAN 20, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-30
10 remark "Deny VLAN 30 net to VLAN 20 net - IP traffic"
10 deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 30 with 10.0.20.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

I updated the acl and added the ip access-group line to the vlan on the core switch. If I try to connect to a web server on a device on that vlan I can still connect. Do you have to get granular with the protocols, etc.. in the ACL? I appreciate your help.

aclvlan20

 10 deny ip any 10.0.20.0 0.0.0.255
  20 permit ip any any

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip access-group "aclvlan20" in
 ip igmp
exit

I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices. The devices are on a switch switch in another closet connected to the core over a fiber trunk connection. Do I need to create the ACL on the core switches and also on the other switches? I have tried going into the vlan 20 and applying it in, but nothing was blocked. Appreciate any help.

Below is my ACL info 

Below is vlan 20 config on my 2930m Core switch stack. This is the vlan I am working on.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip igmp
exit

Remote 2930m switch stack config.for vlan 20 connected over fiber trunk to core switch stack.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/48,3/37
 no ip address
 ip igmp
 no ip igmp querier
exit

Hi!

Your question:

"Should I create an ACL on the other vlans with a line to block them from vlan 20?"

Should became:

"Should I create an ACL on the other vlans with a line to block them to reach the vlan 20?"

Answer: Yes, you should.

Example scenario on your Core Switch (doing IP Routing for its VLANs VLAN 10 and VLAN 20):

• VLAN 10 (Net Address: 10.0.10.0 /24 - SVI IP Address: 10.0.10.254)
• VLAN 20 (Net Address: 10.0.20.0 /24 - SVI IP Address: 10.0.20.254)

Create:

• ACL name to protect VLAN 10: ACL-VLAN-10
• ACL name to protect VLAN 20: ACL-VLAN-20

Direction to apply ACLs on each VLAN: Inbound.

== ACL-VLAN-10 (made to block egressing traffic from VLAN 10 to VLAN 20, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-10
10 remark "Deny VLAN 10 net to VLAN 20 net - IP traffic"
10 deny ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 10 with 10.0.20.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

== ACL-VLAN-20 (made to block egressing traffic from VLAN 20 to VLAN 10, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-20
10 remark "Deny VLAN 20 net to VLAN 10 net - IP traffic"
10 deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 20 with 10.0.10.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

Now...if your Core is the router of many other VLANs (say you have VLAN 10, 20, 30, 40 and so on...)...you should replicate the ACL-VLAN-10 structure to cope with that, at the point that you will have various other ACLs with a similar setup (avoid their egressing traffic to the VLAN 20). The ACL protecting the VLAN 20 needs other ACEs in order to deny its egressing traffic to those additional VLANs, example:

== ACL-VLAN-20 (made to block egressing traffic from VLAN 20 to VLAN 10 and VLAN 30, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-20
10 remark "Deny VLAN 20 net to VLAN 10 net - IP traffic"
10 deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 20 with 10.0.10.0 as destination network, mind you: ICMP is still permitted.
20 remark "Deny VLAN 20 net to VLAN 30 net - IP traffic"
20 deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 20 with 10.0.30.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

== ACL-VLAN-30 (made to block egressing traffic from VLAN 30 to VLAN 20, permitting all the rest to any other possible destination routed by Core) ==

config
ip access-list extended ACL-VLAN-30
10 remark "Deny VLAN 30 net to VLAN 20 net - IP traffic"
10 deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255 <-- This ACE will DENY any IP traffic egressing the VLAN 30 with 10.0.20.0 as destination network, mind you: ICMP is still permitted.
999 remark "Final explicit Permit of unmatched traffic before final implicit Deny ACE"
999 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
write memory
exit

I updated the acl and added the ip access-group line to the vlan on the core switch. If I try to connect to a web server on a device on that vlan I can still connect. Do you have to get granular with the protocols, etc.. in the ACL? I appreciate your help.

aclvlan20

 10 deny ip any 10.0.20.0 0.0.0.255
  20 permit ip any any

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip access-group "aclvlan20" in
 ip igmp
exit

I am trying to create an ACL that blocks any traffic to any devices in vlan 20, but lets vlan 20 out to any devices. The devices are on a switch switch in another closet connected to the core over a fiber trunk connection. Do I need to create the ACL on the core switches and also on the other switches? I have tried going into the vlan 20 and applying it in, but nothing was blocked. Appreciate any help.

Below is my ACL info 

Below is vlan 20 config on my 2930m Core switch stack. This is the vlan I am working on.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/5,1/6
 ip helper-address 192.168.1.254
 ip address 10.0.20.254 255.255.255.0
 ip igmp
exit

Remote 2930m switch stack config.for vlan 20 connected over fiber trunk to core switch stack.

vlan 20
 name "test vlan"
 tagged Trk1
 untagged 1/48,3/37
 no ip address
 ip igmp
 no ip igmp querier
exit