?
Solved

how to configure ACLs on vlan interface

Posted on 2012-09-10
10
Medium Priority
?
910 Views
Last Modified: 2012-09-11
Hi all,

I have been working at this issue for longer then i should be. ultimately im looking to apply a type of vlan security network wide only allowing vlans to access resources that they need to. in some case i only want them to access the internet. but im starting small with a vlan that will only have 1 computer on it. the requirements for this vlan are that no vlans on the network should be able to see this computer. and this computer on this vlan should not be able to see anything on the network only the internet. im looking for a detail explanation on how i might accomplish this with an extended named ACL this is what i have.. o and its a 6509 switch

first i create the ACL

(ip access-list extended TEST)

(deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log)

the reason i did the above like this is to cover all my vlans in one deny statement (this might be my problem but i dont know becuase i dont see any difference in behavior from if i apply the following statement . if i were only blocking the 20 vlan
(deny ip 192.168.38.0 0.0.0.255 192.168.20.0 0.0.0.255 log)

(permit ip 192.168.38.0 0.0.0.255 any log)
then i applied it to my vlan 38 interface
(ip access-group TEST in)

its not blocking any of the traffic that i want. i would like to keep away from having 30 deny statements every time i want to  create an  ACL vlan map. or would it be best practice to apply access mapping in this scenario. I am very new to VACL and the idea sounds confusing so if anyone knows of any good reads on it i would be very great full.   thanks all

I should note to things these are the real Ips for obvious reasons but we are a class c for all other vlans and I subnetted vlan 38 to a 255.255.255.240 to give me 15 usable addresses. Just I case that matters.
0
Comment
Question by:mattlast
  • 6
  • 3
10 Comments
 
LVL 5

Accepted Solution

by:
dallensworth earned 2000 total points
ID: 38385313
With your extended list on on vlan 38 in try the following:  

You want to single out the traffic by it's destination inbound on the interface. Finally include explicit access to all other traffic.  Your show access-list TEST will tell you if your matching on the rules you need.

deny ip any 192.168.0.0 0.0.255.255
permit ip any any

You may also need to include access to dhcp and dns at the top of that list.
0
 

Author Comment

by:mattlast
ID: 38386558
evidently that didnt work i am still able to ping out and ping in
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38386583
Change access list direction to  OUT
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 18

Expert Comment

by:fgasimzade
ID: 38386631
By the way, how are you testing connectivity? By pinging vlan interfaces or PCs?
0
 

Author Comment

by:mattlast
ID: 38386763
Pcs
0
 

Author Comment

by:mattlast
ID: 38386774
It still isn't working if I put the statements suggested on the out of the vlan
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38386793
Can you post here sh ip access-list output results
0
 

Author Comment

by:mattlast
ID: 38386931
i can give you a modified version were x is what i deem the network portion of the ACL


Extended IP access list TEST
    10 deny ip any x.x.0.0 0.0.255.255 log (44 matches)
    20 permit ip any any log


interface Vlan38
 description TEST
 ip address x.x.38.3 255.255.255.240
 ip access-group TEST out
0
 

Author Comment

by:mattlast
ID: 38386942
So it worked in stopping all traffic from pinging the host on vlan 38 but the host on vlan 38 should be able to reach the internet. and it cant i have the hosts DNS set for 8.8.8.8. so it shouldn't need to see our internal DNS
0
 

Author Comment

by:mattlast
ID: 38387182
this is all set i changed it back to in put and corrected an issue with dns and it works like a charm thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
How does someone stay on the right and legal side of the hacking world?
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question