Skip to main content

Validate VLAN segmentation using Invariant

Use Invariant Access Policy rules (ingress-deny-others or egress-deny-others) to define and enforce strict network segmentation between VLANs.

Scenario: Ensure the sensitive VLAN40 (192.168.40.0/24) only allows inbound TCP connections via SSH, and only from a specific host ALICE_DESKTOP (192.168.10.98/32), denying all other internal TCP traffic.

Example ACLs: Segmentation is enforced by ACLs on the dist-1 and dist-2 switch virtual interfaces (SVIs) for VLAN40. vlan40-in denies traffic sourced from other internal networks, while vlan40-out (applied egress, but relevant to the inbound flow decision on some platforms) explicitly permits SSH from ALICE_DESKTOP.

configs/dist-1.cfg (and dist-2.cfg)
ip access-list vlan40-in
 remark deny-internal
 deny ip any 10.0.0.0/8
 deny ip any 172.16.0.0/12
 deny ip any 192.168.0.0/16
 remark accept-internet
 permit ip any any

ip access-list vlan40-out
 remark allow-ssh
 permit tcp host 192.168.10.98 any eq ssh ! Allow SSH from ALICE_DESKTOP

 remark deny-internal
 deny ip any 10.0.0.0/8
 deny ip any 172.16.0.0/12
 deny ip any 192.168.0.0/16 ! Deny other cross-VLAN access


interface Vlan40
 ip address 192.168.40.253/24 ! (or .252 on dist-2)
 ip access-group vlan40-in in
 ip access-group vlan40-out out

Invariant Policy: Define an ingress-deny-others rule in invariant/policies/segmentation.yaml to verify this specific segmentation.

invariant/policies/segmentation.yaml
access-policy:
  - name: sensitive-vlan40-segmentation
    comment: Enforce strict segmentation for VLAN40
    owner: security-team@example.com
    ingress-network:
      destination-address: VLAN40
      destination-exclude: VLAN40_IF # Exclude router interface IPs, they are in front of the ACL
    rules:
      - type: ingress-deny-others
        comment: Limit TCP ingress to only SSH from Alice's desktop
        within: # Scope the denial: deny all cross-VLAN ingress except as permitted
          - protocol: tcp udp
            source-address: RFC1918
        deny-all-except:
          flows:
            - comment: Allow SSH from Alice's desktop
              source-address: ALICE_DESKTOP
              destination-port: SSH
              protocol: tcp
            # No other ingress should be permitted for VLAN40

Network Definitions: Network and host names are defined in def/networks.yaml.

def/networks.yaml
networks:
  RFC1918:
    values:
      - address: 10.0.0.0/8
      - address: 172.16.0.0/12
      - address: 192.168.0.0/16
  VLAN40:
    values:
      - address: 192.168.40.0/24
  VLAN40_IF: # Interface IPs within VLAN40, excluded from ingress check
    values:
      - address: 192.168.40.0/32
      - address: 192.168.40.252/32
      - address: 192.168.40.253/32
      - address: 192.168.40.254/32
  ALICE_DESKTOP:
    values:
      - address: 192.168.10.98/32

Run Analysis: Execute Invariant on your snapshot directory.

$ invariant run --target /path/to/your/snapshot/ --condensed
snapshot: cf2bb04f-554f-4a84-a3e0-bf12a13c0e4e
outcome: All rules passed

# Passing rules are listed in policy_ok
$ invariant show policy_ok --json

# A log of reachability checks performed appears in policy_logs
$ invariant show policy_logs --json

# Violations, if present, would appear in policy_violations
$ invariant show policy_violations --json

# Traceroutes demonstrating segmentation violations, if found, appear in policy_details
$ invariant show policy_details --json

See Access Policy for more details on rule types and reports.

See Output Overview for access policy output file reference.