Solved

Cisco Switch 3750 ACL

Posted on 2013-01-24
7
547 Views
Last Modified: 2013-05-14
Hello i have multiple VLAN and i would like that any vlan trying to ping VLAN_ADMIN cannot reach it

I was able to do it this way

access-list 100 deny   icmp any any echo
access-list 100 deny   icmp any any echo-reply
access-list 100 permit ip any any

interface vlan 80
no ip access-group 100 in


But this way i need to do this on all VLAN

IS there a way to make an access-list on interface vlan_admin instead

How can i do that ?

Thanks !
0
Comment
Question by:jfguenet
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38815642
I believe you can accomplish this by setting an ACL on the vlan_admin in the OUT direction. The sources will be all the other vlans, and the destination can be any.

Depending on the use for vlan_admin, you might be able to use VRF to accomplish this as well and then you won't need to use ACL's.
0
 

Author Comment

by:jfguenet
ID: 38815745
Can you explain what should i write please for the acl ?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38816002
ip access-list extended Protect_vlan-admin
   deny ip 192.168.1.0 0.0.0.255 any
   deny ip 192.168.2.0 0.0.0.255 any
   deny ip 192.168.3.0 0.0.0.255 any
   permit ip any any

interface vlan 10
ip access-group Protect_vlan-admin out



The above would stop the 3 192.168.[1-3].x subnets from routing traffic to vlan 10. Substitute your IP's and vlan numbers.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:jfguenet
ID: 38816244
I just wan to deny ping from 192.168.80.0 to 192.168.90.0  to 192.168.10.0

Thanks
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 38816352
The echo reply command you have used would not matter if you have the direction in except when you ping from the admin VLAN. Stopping all incoming ICMP ECHOs on the interface in the in direction would mean that the interface never sees the request and therefore you do no need to block the reply.

access-list 102 deny icmp any any echo
access-list 102 permit ip any any

then on the interface for your admin vlan go you would issue

interface vlan (your admin number)
ip access group 102 in
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 38816373
You should be able to apply the 102 ACL to both vlans 10 and 90 on the in:

interface vlan 90
ip access group 102 in

interface vlan 10
ip access group 102 in

The in command will block packets that are coming into the interface from somewhere else. Blocking the reply on the in will still allow the ICMP packets to get to the destination from the 80 subnet. You could also put the ACL on the out so that they are blocked from the 80 vlan to anything.
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
ID: 38823198
Have a look at the following link which talks about VACLs:

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
managing a small network 6 97
CISCO Smartnet agreement 5 54
Stacked switch question 7 40
igmp snooping in layer 2 switch 4 12
 One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question