Solved

Cisco Switch 3750 ACL

Posted on 2013-01-24
7
553 Views
Last Modified: 2013-05-14
Hello i have multiple VLAN and i would like that any vlan trying to ping VLAN_ADMIN cannot reach it

I was able to do it this way

access-list 100 deny   icmp any any echo
access-list 100 deny   icmp any any echo-reply
access-list 100 permit ip any any

interface vlan 80
no ip access-group 100 in


But this way i need to do this on all VLAN

IS there a way to make an access-list on interface vlan_admin instead

How can i do that ?

Thanks !
0
Comment
Question by:jfguenet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38815642
I believe you can accomplish this by setting an ACL on the vlan_admin in the OUT direction. The sources will be all the other vlans, and the destination can be any.

Depending on the use for vlan_admin, you might be able to use VRF to accomplish this as well and then you won't need to use ACL's.
0
 

Author Comment

by:jfguenet
ID: 38815745
Can you explain what should i write please for the acl ?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38816002
ip access-list extended Protect_vlan-admin
   deny ip 192.168.1.0 0.0.0.255 any
   deny ip 192.168.2.0 0.0.0.255 any
   deny ip 192.168.3.0 0.0.0.255 any
   permit ip any any

interface vlan 10
ip access-group Protect_vlan-admin out



The above would stop the 3 192.168.[1-3].x subnets from routing traffic to vlan 10. Substitute your IP's and vlan numbers.
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:jfguenet
ID: 38816244
I just wan to deny ping from 192.168.80.0 to 192.168.90.0  to 192.168.10.0

Thanks
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 38816352
The echo reply command you have used would not matter if you have the direction in except when you ping from the admin VLAN. Stopping all incoming ICMP ECHOs on the interface in the in direction would mean that the interface never sees the request and therefore you do no need to block the reply.

access-list 102 deny icmp any any echo
access-list 102 permit ip any any

then on the interface for your admin vlan go you would issue

interface vlan (your admin number)
ip access group 102 in
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 38816373
You should be able to apply the 102 ACL to both vlans 10 and 90 on the in:

interface vlan 90
ip access group 102 in

interface vlan 10
ip access group 102 in

The in command will block packets that are coming into the interface from somewhere else. Blocking the reply on the in will still allow the ICMP packets to get to the destination from the 80 subnet. You could also put the ACL on the out so that they are blocked from the 80 vlan to anything.
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
ID: 38823198
Have a look at the following link which talks about VACLs:

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question