IoT ACL on Cisco 3750 L3 Switch

Here is a quick example I’m using to segregate my IoT vlan from the rest of the network. If you’re on the latest IOS version you can use object groups to simplify the RFC1918 rules seen below.

The following communication flows are allowed:

  • vl10 <–> vl20 all traffic
  • vl10 <–> internet
  • vl20 <–> internet
  • vl50 <–> internet
  • vl50 <–> internal DNS server
  • vl50 <–> internal DHCP server
  • vl50 <–> internal IPAM server for ping checks
interface Vlan10
 description home
 ip address 10.10.10.1 255.255.255.0
 ip helper-address 10.20.20.53

interface Vlan20
 description office
 ip address 10.20.20.1 255.255.255.0

interface Vlan50
 description iot
 ip address 10.50.50.1 255.255.255.0
 ip helper-address 10.20.20.53
 ip access-group iot_inside in
 ip access-group iot_outside out

ip access-list extended iot_inside
 permit icmp any host 10.20.20.53 echo-reply
 permit udp any host 10.20.20.53 eq domain
 permit tcp any host 10.20.20.53 eq domain
 permit udp any eq bootpc host 10.20.20.53 eq bootps
 deny ip any 10.0.0.0 0.255.255.255
 deny ip any 172.16.0.0 0.15.255.255
 deny ip any 192.168.0.0 0.0.255.255
 permit ip any any

ip access-list extended iot_outside
 permit icmp host 10.20.20.53 any echo
 permit udp host 10.20.20.53 eq domain any
 permit tcp host 10.20.20.53 eq domain any
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 permit ip any any