VLAN Security Configuration/ACL 500 Pts.

I have a VLAN built for the security cameras in my school, VLAN 100.  I also have a VLAN for all the student use computers, VLAN 200.  I would like to build a rule that denies all VLAN 200 computers access to VLAN 100.  I would also like to allow specific ports from other VLANs access to the camera VLAN (Superintendent, principals, etc.)  I have heard this can be accomplished through the use of ACL's but need an example.  Let me know if I am missing any pertinent information.
cantoneeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
This assumes VLAN 200 IP addresses are 192.168.200.0/24 and that the allowed devices are 192.168.300.7 and 8.


access-list 1 deny 192.168.200.0 0.0.0.255
access-list 1 permit host 192.168.300.7
access-list 1 permit host 192.168.300.8
int vlan 100
 ip access-group 1 out

Open in new window

0
cantoneeAuthor Commented:
This is all configured on the VLAN "server"
0
Don JohnstonInstructorCommented:
What do you mean by "VLAN server"?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

cantoneeAuthor Commented:
So, if I build this on the switch I configure all my VLAN's on, it will push the updated information out to the rest of them via the trunking/VTP?  Thanks
0
Don JohnstonInstructorCommented:
No.

This ACL is being applied to the layer 3 interface on the switch(es) that are routing the traffic between the VLANs. If you have more than one multilayer switch that is routing between VLANs, you will have to configure all of those switches.
0
cantoneeAuthor Commented:
Okay, I see.  On your suggested config, are you  saying that the full command on step 4 will be:
access-list 1 permit int vlan 100?   I understand the rest except for the " ip access-group 1 out  What does this refer to?  Thanks for your help.  I was recently thrown into the VLAN world with the adoption of a Cisco Wireless Controller!
0
Don JohnstonInstructorCommented:
No, the commands are entered as shown.

"ip access-group 1 out" applies access-list 1 outbound on the VLAN 100 interface. Any traffic exiting that interface is subject to the statements in that access-list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cantoneeAuthor Commented:
Thanks a million or 500 anyway
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.