Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

Cisco Switch 3750 ACL

Hello i have multiple VLAN and i would like that any vlan trying to ping VLAN_ADMIN cannot reach it

I was able to do it this way

access-list 100 deny   icmp any any echo
access-list 100 deny   icmp any any echo-reply
access-list 100 permit ip any any

interface vlan 80
no ip access-group 100 in


But this way i need to do this on all VLAN

IS there a way to make an access-list on interface vlan_admin instead

How can i do that ?

Thanks !
0
jfguenet
Asked:
jfguenet
  • 2
  • 2
  • 2
  • +1
1 Solution
 
rauenpcCommented:
I believe you can accomplish this by setting an ACL on the vlan_admin in the OUT direction. The sources will be all the other vlans, and the destination can be any.

Depending on the use for vlan_admin, you might be able to use VRF to accomplish this as well and then you won't need to use ACL's.
0
 
jfguenetAuthor Commented:
Can you explain what should i write please for the acl ?
0
 
rauenpcCommented:
ip access-list extended Protect_vlan-admin
   deny ip 192.168.1.0 0.0.0.255 any
   deny ip 192.168.2.0 0.0.0.255 any
   deny ip 192.168.3.0 0.0.0.255 any
   permit ip any any

interface vlan 10
ip access-group Protect_vlan-admin out



The above would stop the 3 192.168.[1-3].x subnets from routing traffic to vlan 10. Substitute your IP's and vlan numbers.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
jfguenetAuthor Commented:
I just wan to deny ping from 192.168.80.0 to 192.168.90.0  to 192.168.10.0

Thanks
0
 
StrifeJesterCommented:
The echo reply command you have used would not matter if you have the direction in except when you ping from the admin VLAN. Stopping all incoming ICMP ECHOs on the interface in the in direction would mean that the interface never sees the request and therefore you do no need to block the reply.

access-list 102 deny icmp any any echo
access-list 102 permit ip any any

then on the interface for your admin vlan go you would issue

interface vlan (your admin number)
ip access group 102 in
0
 
StrifeJesterCommented:
You should be able to apply the 102 ACL to both vlans 10 and 90 on the in:

interface vlan 90
ip access group 102 in

interface vlan 10
ip access group 102 in

The in command will block packets that are coming into the interface from somewhere else. Blocking the reply on the in will still allow the ICMP packets to get to the destination from the 80 subnet. You could also put the ACL on the out so that they are blocked from the 80 vlan to anything.
0
 
rochey2009Commented:
Have a look at the following link which talks about VACLs:

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now