mattlast
asked on
how to configure ACLs on vlan interface
Hi all,
I have been working at this issue for longer then i should be. ultimately im looking to apply a type of vlan security network wide only allowing vlans to access resources that they need to. in some case i only want them to access the internet. but im starting small with a vlan that will only have 1 computer on it. the requirements for this vlan are that no vlans on the network should be able to see this computer. and this computer on this vlan should not be able to see anything on the network only the internet. im looking for a detail explanation on how i might accomplish this with an extended named ACL this is what i have.. o and its a 6509 switch
first i create the ACL
(ip access-list extended TEST)
(deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log)
the reason i did the above like this is to cover all my vlans in one deny statement (this might be my problem but i dont know becuase i dont see any difference in behavior from if i apply the following statement . if i were only blocking the 20 vlan
(deny ip 192.168.38.0 0.0.0.255 192.168.20.0 0.0.0.255 log)
(permit ip 192.168.38.0 0.0.0.255 any log)
then i applied it to my vlan 38 interface
(ip access-group TEST in)
its not blocking any of the traffic that i want. i would like to keep away from having 30 deny statements every time i want to create an ACL vlan map. or would it be best practice to apply access mapping in this scenario. I am very new to VACL and the idea sounds confusing so if anyone knows of any good reads on it i would be very great full. thanks all
I should note to things these are the real Ips for obvious reasons but we are a class c for all other vlans and I subnetted vlan 38 to a 255.255.255.240 to give me 15 usable addresses. Just I case that matters.
I have been working at this issue for longer then i should be. ultimately im looking to apply a type of vlan security network wide only allowing vlans to access resources that they need to. in some case i only want them to access the internet. but im starting small with a vlan that will only have 1 computer on it. the requirements for this vlan are that no vlans on the network should be able to see this computer. and this computer on this vlan should not be able to see anything on the network only the internet. im looking for a detail explanation on how i might accomplish this with an extended named ACL this is what i have.. o and its a 6509 switch
first i create the ACL
(ip access-list extended TEST)
(deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log)
the reason i did the above like this is to cover all my vlans in one deny statement (this might be my problem but i dont know becuase i dont see any difference in behavior from if i apply the following statement . if i were only blocking the 20 vlan
(deny ip 192.168.38.0 0.0.0.255 192.168.20.0 0.0.0.255 log)
(permit ip 192.168.38.0 0.0.0.255 any log)
then i applied it to my vlan 38 interface
(ip access-group TEST in)
its not blocking any of the traffic that i want. i would like to keep away from having 30 deny statements every time i want to create an ACL vlan map. or would it be best practice to apply access mapping in this scenario. I am very new to VACL and the idea sounds confusing so if anyone knows of any good reads on it i would be very great full. thanks all
I should note to things these are the real Ips for obvious reasons but we are a class c for all other vlans and I subnetted vlan 38 to a 255.255.255.240 to give me 15 usable addresses. Just I case that matters.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Change access list direction to OUT
By the way, how are you testing connectivity? By pinging vlan interfaces or PCs?
ASKER
Pcs
ASKER
It still isn't working if I put the statements suggested on the out of the vlan
Can you post here sh ip access-list output results
ASKER
i can give you a modified version were x is what i deem the network portion of the ACL
Extended IP access list TEST
10 deny ip any x.x.0.0 0.0.255.255 log (44 matches)
20 permit ip any any log
interface Vlan38
description TEST
ip address x.x.38.3 255.255.255.240
ip access-group TEST out
Extended IP access list TEST
10 deny ip any x.x.0.0 0.0.255.255 log (44 matches)
20 permit ip any any log
interface Vlan38
description TEST
ip address x.x.38.3 255.255.255.240
ip access-group TEST out
ASKER
So it worked in stopping all traffic from pinging the host on vlan 38 but the host on vlan 38 should be able to reach the internet. and it cant i have the hosts DNS set for 8.8.8.8. so it shouldn't need to see our internal DNS
ASKER
this is all set i changed it back to in put and corrected an issue with dns and it works like a charm thanks
ASKER