• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

how to configure ACLs on vlan interface

Hi all,

I have been working at this issue for longer then i should be. ultimately im looking to apply a type of vlan security network wide only allowing vlans to access resources that they need to. in some case i only want them to access the internet. but im starting small with a vlan that will only have 1 computer on it. the requirements for this vlan are that no vlans on the network should be able to see this computer. and this computer on this vlan should not be able to see anything on the network only the internet. im looking for a detail explanation on how i might accomplish this with an extended named ACL this is what i have.. o and its a 6509 switch

first i create the ACL

(ip access-list extended TEST)

(deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log)

the reason i did the above like this is to cover all my vlans in one deny statement (this might be my problem but i dont know becuase i dont see any difference in behavior from if i apply the following statement . if i were only blocking the 20 vlan
(deny ip 192.168.38.0 0.0.0.255 192.168.20.0 0.0.0.255 log)

(permit ip 192.168.38.0 0.0.0.255 any log)
then i applied it to my vlan 38 interface
(ip access-group TEST in)

its not blocking any of the traffic that i want. i would like to keep away from having 30 deny statements every time i want to  create an  ACL vlan map. or would it be best practice to apply access mapping in this scenario. I am very new to VACL and the idea sounds confusing so if anyone knows of any good reads on it i would be very great full.   thanks all

I should note to things these are the real Ips for obvious reasons but we are a class c for all other vlans and I subnetted vlan 38 to a 255.255.255.240 to give me 15 usable addresses. Just I case that matters.
0
mattlast
Asked:
mattlast
  • 6
  • 3
1 Solution
 
dallensworthCommented:
With your extended list on on vlan 38 in try the following:  

You want to single out the traffic by it's destination inbound on the interface. Finally include explicit access to all other traffic.  Your show access-list TEST will tell you if your matching on the rules you need.

deny ip any 192.168.0.0 0.0.255.255
permit ip any any

You may also need to include access to dhcp and dns at the top of that list.
0
 
mattlastAuthor Commented:
evidently that didnt work i am still able to ping out and ping in
0
 
fgasimzadeCommented:
Change access list direction to  OUT
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
fgasimzadeCommented:
By the way, how are you testing connectivity? By pinging vlan interfaces or PCs?
0
 
mattlastAuthor Commented:
Pcs
0
 
mattlastAuthor Commented:
It still isn't working if I put the statements suggested on the out of the vlan
0
 
fgasimzadeCommented:
Can you post here sh ip access-list output results
0
 
mattlastAuthor Commented:
i can give you a modified version were x is what i deem the network portion of the ACL


Extended IP access list TEST
    10 deny ip any x.x.0.0 0.0.255.255 log (44 matches)
    20 permit ip any any log


interface Vlan38
 description TEST
 ip address x.x.38.3 255.255.255.240
 ip access-group TEST out
0
 
mattlastAuthor Commented:
So it worked in stopping all traffic from pinging the host on vlan 38 but the host on vlan 38 should be able to reach the internet. and it cant i have the hosts DNS set for 8.8.8.8. so it shouldn't need to see our internal DNS
0
 
mattlastAuthor Commented:
this is all set i changed it back to in put and corrected an issue with dns and it works like a charm thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now