Cisco Switch 3750 ACL

Hello i have multiple VLAN and i would like that any vlan trying to ping VLAN_ADMIN cannot reach it

I was able to do it this way

access-list 100 deny   icmp any any echo
access-list 100 deny   icmp any any echo-reply
access-list 100 permit ip any any

interface vlan 80
no ip access-group 100 in


But this way i need to do this on all VLAN

IS there a way to make an access-list on interface vlan_admin instead

How can i do that ?

Thanks !
jfguenetAsked:
Who is Participating?
 
rochey2009Connect With a Mentor Commented:
Have a look at the following link which talks about VACLs:

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
0
 
rauenpcCommented:
I believe you can accomplish this by setting an ACL on the vlan_admin in the OUT direction. The sources will be all the other vlans, and the destination can be any.

Depending on the use for vlan_admin, you might be able to use VRF to accomplish this as well and then you won't need to use ACL's.
0
 
jfguenetAuthor Commented:
Can you explain what should i write please for the acl ?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
rauenpcCommented:
ip access-list extended Protect_vlan-admin
   deny ip 192.168.1.0 0.0.0.255 any
   deny ip 192.168.2.0 0.0.0.255 any
   deny ip 192.168.3.0 0.0.0.255 any
   permit ip any any

interface vlan 10
ip access-group Protect_vlan-admin out



The above would stop the 3 192.168.[1-3].x subnets from routing traffic to vlan 10. Substitute your IP's and vlan numbers.
0
 
jfguenetAuthor Commented:
I just wan to deny ping from 192.168.80.0 to 192.168.90.0  to 192.168.10.0

Thanks
0
 
Justin EllenbeckerIT DirectorCommented:
The echo reply command you have used would not matter if you have the direction in except when you ping from the admin VLAN. Stopping all incoming ICMP ECHOs on the interface in the in direction would mean that the interface never sees the request and therefore you do no need to block the reply.

access-list 102 deny icmp any any echo
access-list 102 permit ip any any

then on the interface for your admin vlan go you would issue

interface vlan (your admin number)
ip access group 102 in
0
 
Justin EllenbeckerIT DirectorCommented:
You should be able to apply the 102 ACL to both vlans 10 and 90 on the in:

interface vlan 90
ip access group 102 in

interface vlan 10
ip access group 102 in

The in command will block packets that are coming into the interface from somewhere else. Blocking the reply on the in will still allow the ICMP packets to get to the destination from the 80 subnet. You could also put the ACL on the out so that they are blocked from the 80 vlan to anything.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.