?
Solved

VLAN Security Configuration/ACL 500 Pts.

Posted on 2008-11-13
8
Medium Priority
?
576 Views
Last Modified: 2012-05-05
I have a VLAN built for the security cameras in my school, VLAN 100.  I also have a VLAN for all the student use computers, VLAN 200.  I would like to build a rule that denies all VLAN 200 computers access to VLAN 100.  I would also like to allow specific ports from other VLANs access to the camera VLAN (Superintendent, principals, etc.)  I have heard this can be accomplished through the use of ACL's but need an example.  Let me know if I am missing any pertinent information.
0
Comment
Question by:cantonee
  • 4
  • 4
8 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22949958
This assumes VLAN 200 IP addresses are 192.168.200.0/24 and that the allowed devices are 192.168.300.7 and 8.


access-list 1 deny 192.168.200.0 0.0.0.255
access-list 1 permit host 192.168.300.7
access-list 1 permit host 192.168.300.8
int vlan 100
 ip access-group 1 out

Open in new window

0
 

Author Comment

by:cantonee
ID: 22950220
This is all configured on the VLAN "server"
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22950251
What do you mean by "VLAN server"?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:cantonee
ID: 22950252
So, if I build this on the switch I configure all my VLAN's on, it will push the updated information out to the rest of them via the trunking/VTP?  Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22950346
No.

This ACL is being applied to the layer 3 interface on the switch(es) that are routing the traffic between the VLANs. If you have more than one multilayer switch that is routing between VLANs, you will have to configure all of those switches.
0
 

Author Comment

by:cantonee
ID: 22950482
Okay, I see.  On your suggested config, are you  saying that the full command on step 4 will be:
access-list 1 permit int vlan 100?   I understand the rest except for the " ip access-group 1 out  What does this refer to?  Thanks for your help.  I was recently thrown into the VLAN world with the adoption of a Cisco Wireless Controller!
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 22951754
No, the commands are entered as shown.

"ip access-group 1 out" applies access-list 1 outbound on the VLAN 100 interface. Any traffic exiting that interface is subject to the statements in that access-list.
0
 

Author Closing Comment

by:cantonee
ID: 31516355
Thanks a million or 500 anyway
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses
Course of the Month17 days, 3 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question