Solved

Cisco Switch 3750 ACL

Posted on 2013-01-24
7
538 Views
Last Modified: 2013-05-14
Hello i have multiple VLAN and i would like that any vlan trying to ping VLAN_ADMIN cannot reach it

I was able to do it this way

access-list 100 deny   icmp any any echo
access-list 100 deny   icmp any any echo-reply
access-list 100 permit ip any any

interface vlan 80
no ip access-group 100 in


But this way i need to do this on all VLAN

IS there a way to make an access-list on interface vlan_admin instead

How can i do that ?

Thanks !
0
Comment
Question by:jfguenet
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38815642
I believe you can accomplish this by setting an ACL on the vlan_admin in the OUT direction. The sources will be all the other vlans, and the destination can be any.

Depending on the use for vlan_admin, you might be able to use VRF to accomplish this as well and then you won't need to use ACL's.
0
 

Author Comment

by:jfguenet
ID: 38815745
Can you explain what should i write please for the acl ?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38816002
ip access-list extended Protect_vlan-admin
   deny ip 192.168.1.0 0.0.0.255 any
   deny ip 192.168.2.0 0.0.0.255 any
   deny ip 192.168.3.0 0.0.0.255 any
   permit ip any any

interface vlan 10
ip access-group Protect_vlan-admin out



The above would stop the 3 192.168.[1-3].x subnets from routing traffic to vlan 10. Substitute your IP's and vlan numbers.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jfguenet
ID: 38816244
I just wan to deny ping from 192.168.80.0 to 192.168.90.0  to 192.168.10.0

Thanks
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 38816352
The echo reply command you have used would not matter if you have the direction in except when you ping from the admin VLAN. Stopping all incoming ICMP ECHOs on the interface in the in direction would mean that the interface never sees the request and therefore you do no need to block the reply.

access-list 102 deny icmp any any echo
access-list 102 permit ip any any

then on the interface for your admin vlan go you would issue

interface vlan (your admin number)
ip access group 102 in
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 38816373
You should be able to apply the 102 ACL to both vlans 10 and 90 on the in:

interface vlan 90
ip access group 102 in

interface vlan 10
ip access group 102 in

The in command will block packets that are coming into the interface from somewhere else. Blocking the reply on the in will still allow the ICMP packets to get to the destination from the 80 subnet. You could also put the ACL on the out so that they are blocked from the 80 vlan to anything.
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
ID: 38823198
Have a look at the following link which talks about VACLs:

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a computer or other electronic gear that is attached to a rat nest of cables, or alternatively have your cables all bundled nice at neat?  If so then read this post to sidstep common pitfalls. When I was a student at DeVry University,…
This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now