Advice to replace ANY in acl

mcgiga · ‎10-04-2024

Hi,

I need some advice. I have an ACL1 with four internal VLANs as source (VLAN1, VLAN2, VLAN3, VLAN4). All of them have permitted access via tcp/80 and tcp/443 to destination ANY (WAN).

ACL2 permits VLAN3 to access a host in VLAN10 via tcp/21. The problem is because of destination ANY in the ACL1, hosts in VLAN3 have permitted access via tcp/80 and tcp/443 to that host in VLAN10.

I need a solution to replace destination ANY in ACL1 so VLAN1-4 can still access all destination hosts in WAN (internet) but VLAN3 has no access to that host in VLAN10 via tcp/80 and tcp/443 (instead tcp/21 only). Instead of that "solution" maybe there is a better way to achieve it.

One possible variant could be to define a group with all public ip adress ranges
1.0.0.0 – 9.255.255.255
11.0.0.0 – 126.255.255.255
129.0.0.0 – 169.253.255.255
169.255.0.0 – 172.15.255.255
172.32.0.0 – 191.0.1.255
192.0.3.0 – 192.88.98.255
192.88.100.0 – 192.167.255.255
192.169.0.0 – 198.17.255.255
198.20.0.0 – 223.255.255.255

Likely there is a better way.

ammahend · ‎10-04-2024

when you are doing ACL, think of a pyramid structure, more specific stuff are at top and broader stuff are at bottom.

so in ACL 1 you can simple add a deny statement at top with source of vlan 3 destination IP of vlan 10 source port any and destination port 80,443

-hope this helps-

MHM Cisco World · ‎10-05-2024

First check how we can use established with ACL

Second you can config deny vlanX to vlanY then config permit vlanX to ANY' this prevents vlanX to access vlanY but allow layer vlanX to access any other IP' this order of ACL make different.

MHM