Link to home
Start Free TrialLog in
Avatar of mattlast
mattlastFlag for United States of America

asked on

how to configure ACLs on vlan interface

Hi all,

I have been working at this issue for longer then i should be. ultimately im looking to apply a type of vlan security network wide only allowing vlans to access resources that they need to. in some case i only want them to access the internet. but im starting small with a vlan that will only have 1 computer on it. the requirements for this vlan are that no vlans on the network should be able to see this computer. and this computer on this vlan should not be able to see anything on the network only the internet. im looking for a detail explanation on how i might accomplish this with an extended named ACL this is what i have.. o and its a 6509 switch

first i create the ACL

(ip access-list extended TEST)

(deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log)

the reason i did the above like this is to cover all my vlans in one deny statement (this might be my problem but i dont know becuase i dont see any difference in behavior from if i apply the following statement . if i were only blocking the 20 vlan
(deny ip 192.168.38.0 0.0.0.255 192.168.20.0 0.0.0.255 log)

(permit ip 192.168.38.0 0.0.0.255 any log)
then i applied it to my vlan 38 interface
(ip access-group TEST in)

its not blocking any of the traffic that i want. i would like to keep away from having 30 deny statements every time i want to  create an  ACL vlan map. or would it be best practice to apply access mapping in this scenario. I am very new to VACL and the idea sounds confusing so if anyone knows of any good reads on it i would be very great full.   thanks all

I should note to things these are the real Ips for obvious reasons but we are a class c for all other vlans and I subnetted vlan 38 to a 255.255.255.240 to give me 15 usable addresses. Just I case that matters.
ASKER CERTIFIED SOLUTION
Avatar of dallensworth
dallensworth

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mattlast

ASKER

evidently that didnt work i am still able to ping out and ping in
Avatar of fgasimzade
Change access list direction to  OUT
By the way, how are you testing connectivity? By pinging vlan interfaces or PCs?
Pcs
It still isn't working if I put the statements suggested on the out of the vlan
Can you post here sh ip access-list output results
i can give you a modified version were x is what i deem the network portion of the ACL


Extended IP access list TEST
    10 deny ip any x.x.0.0 0.0.255.255 log (44 matches)
    20 permit ip any any log


interface Vlan38
 description TEST
 ip address x.x.38.3 255.255.255.240
 ip access-group TEST out
So it worked in stopping all traffic from pinging the host on vlan 38 but the host on vlan 38 should be able to reach the internet. and it cant i have the hosts DNS set for 8.8.8.8. so it shouldn't need to see our internal DNS
this is all set i changed it back to in put and corrected an issue with dns and it works like a charm thanks