IoT ACL on Cisco 3750 L3 Switch
Here is a quick example I’m using to segregate my IoT vlan from the rest of the network. If you’re on the latest IOS version you can use object groups to simplify the RFC1918 rules seen below.
The following communication flows are allowed:
- vl10 <–> vl20 all traffic
- vl10 <–> internet
- vl20 <–> internet
- vl50 <–> internet
- vl50 <–> internal DNS server
- vl50 <–> internal DHCP server
- vl50 <–> internal IPAM server for ping checks
interface Vlan10 description home ip address 10.10.10.1 255.255.255.0 ip helper-address 10.20.20.53 interface Vlan20 description office ip address 10.20.20.1 255.255.255.0 interface Vlan50 description iot ip address 10.50.50.1 255.255.255.0 ip helper-address 10.20.20.53 ip access-group iot_inside in ip access-group iot_outside out ip access-list extended iot_inside permit icmp any host 10.20.20.53 echo-reply permit udp any host 10.20.20.53 eq domain permit tcp any host 10.20.20.53 eq domain permit udp any eq bootpc host 10.20.20.53 eq bootps deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip any any ip access-list extended iot_outside permit icmp host 10.20.20.53 any echo permit udp host 10.20.20.53 eq domain any permit tcp host 10.20.20.53 eq domain any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any