Solved: Re: catalyst 4006 and vlan ACL's

matthew.bauer · ‎07-07-2004

Hey All,

I am trying to tighten down a vlan on my network. I have a 4006 with 2 vlans right now. Vlan 1 has all of the servers that are needed. Couple of web servers, DNS servers, DHCP and file servers.

Vlan 3 is the other vlan. I have created an ACL is mimics the following:

access-list 102 permit ip any host 10.1.254.10

access-list 102 permit ip any host 10.1.254.11

access-list 102 permit ip any host 10.1.254.12

access-list 102 permit ip any host 10.1.254.15

access-list 102 permit ip any host 10.1.254.16

access-list 102 permit ip any host 10.1.254.20

access-list 102 permit ip any host 10.1.254.22

access-list 102 permit ip any host 10.1.254.23

access-list 102 deny ip any any

I used the following to assign it to the Vlan 3 on the 4006

ip access-group 102 in

I knew that web traffic would stop, but I need to find out a way to allow traffic that is not going to either vlan to pass through.

Does that make sense?

Thanks for your insight

Matt

thisisshanky · ‎07-07-2004

Matt,

Change your acl as follows:

access-list 102 permit ip any host 10.1.254.10

access-list 102 permit ip any host 10.1.254.11

access-list 102 permit ip any host 10.1.254.12

access-list 102 permit ip any host 10.1.254.15

access-list 102 permit ip any host 10.1.254.16

access-list 102 permit ip any host 10.1.254.20

access-list 102 permit ip any host 10.1.254.22

access-list 102 permit ip any host 10.1.254.23

access-list 102 deny ip any 10.1.254.0 0.0.0.255

access-list 102 permit ip any any

The second last line will deny any traffic going to 10.1.254.0 network (only the specific hosts permitted in the first 8 lines are allowed). Similarly you can add another line to deny any other traffic going to vlan 2.

Note that extended ACL (numbered) have to be removed first and recreated. The best practice is to copy the ACL statements to a notepad and edit it.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

thisisshanky · ‎07-07-2004

Matt,

Change your acl as follows:

access-list 102 permit ip any host 10.1.254.10

access-list 102 permit ip any host 10.1.254.11

access-list 102 permit ip any host 10.1.254.12

access-list 102 permit ip any host 10.1.254.15

access-list 102 permit ip any host 10.1.254.16

access-list 102 permit ip any host 10.1.254.20

access-list 102 permit ip any host 10.1.254.22

access-list 102 permit ip any host 10.1.254.23

access-list 102 deny ip any 10.1.254.0 0.0.0.255

access-list 102 permit ip any any

The second last line will deny any traffic going to 10.1.254.0 network (only the specific hosts permitted in the first 8 lines are allowed). Similarly you can add another line to deny any other traffic going to vlan 2.

Note that extended ACL (numbered) have to be removed first and recreated. The best practice is to copy the ACL statements to a notepad and edit it.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

matthew.bauer · ‎07-07-2004

Thanks mate, it worked like a charm

Matt