We help IT Professionals succeed at work.

VACLs Logic in 6509 switch running Native IOS.

477 Views
Last Modified: 2013-11-08
I have a 6509 with Vlans and inter-vlan routing correctly configured and functioning correctly.
I need to do a configuration such that a machine (192.168.160.20) in vlan 160 is able allow a VPN connection using IPSEC to connect to this machine. I need this machine(192.168.160.20) to be able to access every other machine in 192.168.160.0 subnet but not access any other subnet on my network. I have  40 other subnets  (192.168.102.0, 192.168.100.0, 192.168.180.0&..etc etc)

Note:
I am familiar with VACLS so I need more of the logic than the actual configuration steps/commands.
Comment
Watch Question

you would want to create a few access lists similar to below to deny/permit access from the 192.168.160.20 host to your other VLANs ...  they are applied top-to-bottom so they would need to be in this order

access-list 100 permit ip 192.168.160.20 255.255.255.255 192.168.160.0 255.255.255.0 (permit vlan 160 access)
access-list 100 deny   ip 192.168.160.20 255.255.255.255 192.168.0.0 255.255.0.0 log (deny other 192.168.x.x VLAN access)
access-list 100 permit ip 192.168.160.20 255.255.255.255 any (permit traffic to other hosts including internet

You will need to configure IPSEC on a router/gateway device as the endpoint for the VPN tunnel and then I believe the IPSec traffic should pass over the switch to the host computer... any other details on the VPN?  
Oliver TANGIRILead Network Engineer

Author

Commented:

Thank you for your input.
What I have in mine about VLAN Access Maps is:-
a) Create an extended ACL.
b) Filter the interesting traffic using Permit statements
c) Create the Access Map
d) Match the map to the ACL in (b)
e) Take an action- Drop or  forward
f) Apply to a vlan.
Please let me how your suggested ACLs work in this case.
Also, I am not configuring the VPN. An external company needs me to establish a vpn connection from this internal IP(192.168.160.20) and I want to establish and let them do whatever they need to do with the computer and on vlan 160 and nothing else out of vlan 160.
Your method would work as well, but its a little harder to implemenet.  Basically the 3 ACLs i suggested break down as follows and will do the job....

access-list 100 permit ip 192.168.160.20 255.255.255.255 192.168.160.0 255.255.255.0
Above ACL permits traffic from that host machine to only the 192.168.160.0 subnet

access-list 100 deny   ip 192.168.160.20 255.255.255.255 192.168.0.0 255.255.0.0 log
Above ACL denies traffic from that host machine to any other subnet/host/VLAN in the 192.168.0.0 - 192.168.255.255  range

access-list 100 permit ip 192.168.160.20 255.255.255.255 any
Above ACL permits traffic from that machine to any destination

Since the ACL's are applied top to bottom traffic is permitted to only the 192.168.160.0 subnet or VLAN.  All other access to 192.168.x.x subnets are DENIED by the second ACL.  Then access is permitted to anywhere else by the 3rd ACL

the VPN should work fine in that manner as well...  
Also you would need the following to link the ACLs to the proper VLAN interface so it is applied successfully....

interface Vlan160
 ip access-group 112 in
sorry i mistyped...

interface Vlan160
  ip access-group 100 in
Oliver TANGIRILead Network Engineer

Author

Commented:
Got it. You are good. I will try this and let you know. Already I see it working. I was thinking of handling this entirely usign VACLS but now I see how difficult(if at all possible) that could have been.
Oliver TANGIRILead Network Engineer

Author

Commented:
By the way, we should be using wildcard bits  and not subnet mask when defing an entire network..right?
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Oliver TANGIRILead Network Engineer

Author

Commented:
No need to apologize. You already got me into the right path.
You sure I am applying the ACL  in-bound?  At first thought, I would go for outboud i.e from within vlan 160 going to other places. Also, I don't need to stop other say 192.168.160.87 from going wherever he needs to go so I guess I may replace the last one with-
access-list 100 permit ip 192.168.160.0  0.0.0.255 any  
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Oliver TANGIRILead Network Engineer

Author

Commented:
Ok Great. I will leave this open for atleast a day  just in case I need to post something else after implementing, otherwise I think we have exhausted enough possibilities to get me going on this project.
Thanks for all your help.
No problem Bokis...

- Matt
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.