Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ACLs on virtual interfaces

Posted on 2010-09-17
6
Medium Priority
?
564 Views
Last Modified: 2012-05-10
I have several VLANs defined on a stack of Cisco Catalyst 3750 switches.  (Layer 3).    IOS version is 12.2(25)SEE2)

I'm trying to do something that seems pretty simple, and I'm hopefully missing something obvious.

I want to prevent one VLAN from having any access to the other.   (ip routing is turned on, and it needs to be on.)   I followed another example I found online, and it seems like it should work.   The config lines are below.  I'm trying to prevent VLAN 99 from accessing VLAN 11 by using an ACL.   Address ranges are:  VLAN 11   10.67.11.0/24    VLAN 99  10.67.99.0/24

 interface Vlan11
 ip address 10.67.11.247 255.255.255.0
 ip access-group BAN_VLAN99 in


interface Vlan99
 ip address 10.67.99.247 255.255.255.0


ip access-list extended BAN_VLAN99
 deny   ip 10.67.99.0 0.0.0.255 any
 permit ip any any


But if I put a VLAN 99 address on a workstation, and plug into a VLAN 99 port, I'm still able to ping addresses on VLAN 11   (10.67.11.1 for example)

This seems embarrassingly simple... what am I missing??
0
Comment
Question by:asd-dave
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33704769
Change this:  ip access-group BAN_VLAN99 in
to this: ip access-group BAN_VLAN99 out


Or better yet, modify your ACL and apply it as an inbound ACL on the vlan 99 interface.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 33704782
Have you applied the lists to the interfaces?  Also, this seems like a routing issue, the ACL should be applied where the routing is taking place.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 33704786
Nevermind, I missed the application on the interface.
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 
LVL 3

Expert Comment

by:kf4zmt
ID: 33704791
Like this

ip access-list extended BAN_VLAN99
 deny   ip any 10.67.11.0 0.0.0.255
 permit ip any any

interface Vlan99
 ip access-group BAN_VLAN99 in
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33704799
or:

interface Vlan99
 ip access-group DENY_VLAN11 in

ip access-list extended DENY_VLAN11
 deny   ip 10.67.99.0 0.0.0.255 10.67.11.0 0.0.0.255
 permit ip any any

Billy
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33704820
You have to think the other way around. You have an acl inbound on int Vlan11, which means that you at that point can filter traffic coming INBOUND into the router, FROM that interface. You block 10.67.99.0 source-addresses in that acl but on that interface and in that direction there will never come any traffic source from that addresses.

If you want to stop vlan 99 from accessing vlan 11 you should place an inbound acl on int vlan 99 instead, blocking traffic from vlan 11 ip addresses:

int vlan99
 ip access-group BAN_VLAN11 in
!
ip access-l ext BAN_VLAN11
 deny ip 10.67.11.0 0.0.0.255 any
 permit ip any any
!

Another option is to place the acl outbound instead of outbound, by using the "out"-parameter in the access-group interface-command.

/Kvistofta
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question