asd-dave
asked on
ACLs on virtual interfaces
I have several VLANs defined on a stack of Cisco Catalyst 3750 switches. (Layer 3). IOS version is 12.2(25)SEE2)
I'm trying to do something that seems pretty simple, and I'm hopefully missing something obvious.
I want to prevent one VLAN from having any access to the other. (ip routing is turned on, and it needs to be on.) I followed another example I found online, and it seems like it should work. The config lines are below. I'm trying to prevent VLAN 99 from accessing VLAN 11 by using an ACL. Address ranges are: VLAN 11 10.67.11.0/24 VLAN 99 10.67.99.0/24
interface Vlan11
ip address 10.67.11.247 255.255.255.0
ip access-group BAN_VLAN99 in
interface Vlan99
ip address 10.67.99.247 255.255.255.0
ip access-list extended BAN_VLAN99
deny ip 10.67.99.0 0.0.0.255 any
permit ip any any
But if I put a VLAN 99 address on a workstation, and plug into a VLAN 99 port, I'm still able to ping addresses on VLAN 11 (10.67.11.1 for example)
This seems embarrassingly simple... what am I missing??
I'm trying to do something that seems pretty simple, and I'm hopefully missing something obvious.
I want to prevent one VLAN from having any access to the other. (ip routing is turned on, and it needs to be on.) I followed another example I found online, and it seems like it should work. The config lines are below. I'm trying to prevent VLAN 99 from accessing VLAN 11 by using an ACL. Address ranges are: VLAN 11 10.67.11.0/24 VLAN 99 10.67.99.0/24
interface Vlan11
ip address 10.67.11.247 255.255.255.0
ip access-group BAN_VLAN99 in
interface Vlan99
ip address 10.67.99.247 255.255.255.0
ip access-list extended BAN_VLAN99
deny ip 10.67.99.0 0.0.0.255 any
permit ip any any
But if I put a VLAN 99 address on a workstation, and plug into a VLAN 99 port, I'm still able to ping addresses on VLAN 11 (10.67.11.1 for example)
This seems embarrassingly simple... what am I missing??
Have you applied the lists to the interfaces? Also, this seems like a routing issue, the ACL should be applied where the routing is taking place.
Nevermind, I missed the application on the interface.
Like this
ip access-list extended BAN_VLAN99
deny ip any 10.67.11.0 0.0.0.255
permit ip any any
interface Vlan99
ip access-group BAN_VLAN99 in
ip access-list extended BAN_VLAN99
deny ip any 10.67.11.0 0.0.0.255
permit ip any any
interface Vlan99
ip access-group BAN_VLAN99 in
or:
interface Vlan99
ip access-group DENY_VLAN11 in
ip access-list extended DENY_VLAN11
deny ip 10.67.99.0 0.0.0.255 10.67.11.0 0.0.0.255
permit ip any any
Billy
interface Vlan99
ip access-group DENY_VLAN11 in
ip access-list extended DENY_VLAN11
deny ip 10.67.99.0 0.0.0.255 10.67.11.0 0.0.0.255
permit ip any any
Billy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
to this: ip access-group BAN_VLAN99 out
Or better yet, modify your ACL and apply it as an inbound ACL on the vlan 99 interface.