How to Configure VACLs

aessome · ‎12-06-2003

Hello Gurus,

i have a problem with configuring VACLs on my Catalyst:

I wann to configure a VACLs allowing:

a) only access to "internet" and to the VLAN "Shared Services"

b) Vlan restricting communikation between VLANs

c) the Systemmanagement and Netzwerkmanagement Vlan without any restriction

my Actuel config:

interface Vlan1

no ip address

!

interface Vlan9

description ACLTest

ip address 172.16.112.2 255.255.255.0

no ip redirects

standby use-bia

standby 9 ip 172.16.112.1

standby 9 priority 120

standby 9 preempt

standby 9 authentication vlan9

!

interface Vlan10

description Netzwerkmanagement

ip address 10.20.96.2 255.255.252.0

no ip redirects

standby use-bia

standby 10 ip 10.20.96.1

standby 10 priority 120

standby 10 preempt

standby 10 authentication vlan10

!

interface Vlan11

description Shared Services

ip address 10.20.100.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 11 ip 10.20.100.1

standby 11 priority 120

standby 11 preempt

standby 11 authentication vlan11

!

interface Vlan12

description Mainsite

ip address 10.20.104.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 12 ip 10.20.104.1

standby 12 priority 120

standby 12 preempt

standby 12 authentication vlan12

!

interface Vlan13

description KWO

ip address 10.20.108.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 13 ip 10.20.108.1

standby 13 timers 3 4

standby 13 priority 120

standby 13 preempt

standby 13 authentication vlan13

!

interface Vlan14

description Dualogis

ip address 10.20.112.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 14 ip 10.20.112.1

standby 14 priority 120

standby 14 preempt

standby 14 authentication vlan14

!

interface Vlan15

description Diolen(Polyester)

ip address 10.20.116.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 15 ip 10.20.116.1

standby 15 priority 120

standby 15 preempt

standby 15 authentication vlan15

!

interface Vlan16

description Polyamide

ip address 10.20.120.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 16 ip 10.20.120.1

standby 16 priority 120

standby 16 preempt

standby 16 authentication vlan16

!

interface Vlan17

description Enka

ip address 10.20.124.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

ipx delay 5

ipx network 22120100

ipx type-20-propagation

standby use-bia

standby 17 ip 10.20.124.1

standby 17 priority 120

standby 17 preempt

standby 17 authentication vlan17

!

interface Vlan18

description Cordenka

ip address 10.20.128.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

ipx delay 5

ipx network 11110918

ipx type-20-propagation

standby use-bia

standby 18 ip 10.20.128.1

standby 18 priority 120

standby 18 preempt

standby 18 authentication vlan18

!

interface Vlan19

description MAT

ip address 10.20.132.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 19 ip 10.20.132.1

standby 19 priority 120

standby 19 preempt

standby 19 authentication vlan19

!

interface Vlan20

description Colbond

ip address 10.20.136.2 255.255.252.0

ip helper-address 10.20.136.26

no ip redirects

standby use-bia

standby 20 ip 10.20.136.1

standby 20 priority 120

standby 20 preempt

standby 20 authentication vlan20

!

interface Vlan21

description Backup

ip address 10.20.140.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 21 ip 10.20.140.1

standby 21 priority 120

standby 21 preempt

standby 21 authentication vlan21

!

interface Vlan22

description Systemmanagement

ip address 10.20.144.2 255.255.252.0

ip helper-address 10.20.100.22

no ip redirects

ipx delay 5

ipx network 1111922

ipx type-20-propagation

standby use-bia

standby 22 ip 10.20.144.1

standby 22 priority 120

standby 22 preempt

standby 22 authentication vlan22

!

interface Vlan23

description ISDN

ip address 10.20.246.2 255.255.255.128

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 23 ip 10.20.246.1

standby 23 priority 120

standby 23 preempt

standby 23 authentication vlan23

!

interface Vlan24

description Forschung

ip address 10.21.16.252 255.255.248.0 secondary

ip address 10.21.8.252 255.255.248.0 secondary

ip address 10.21.24.252 255.255.248.0 secondary

ip address 10.21.0.252 255.255.248.0

ip helper-address 10.21.0.58

ip helper-address 10.20.100.22

no ip redirects

standby use-bia

standby 24 ip 10.21.0.254

standby 24 ip 10.21.8.254 secondary

standby 24 ip 10.21.16.254 secondary

standby 24 ip 10.21.24.254 secondary

standby 24 priority 120

standby 24 preempt

standby 24 authentication vlan24

!

interface Vlan25

no ip address

no ip redirects

shutdown

standby use-bia

!

interface Vlan26

no ip address

no ip redirects

shutdown

standby use-bia

standby 26 priority 120

standby 26 preempt

!

interface Vlan27

description Transfer zum WAN

ip address 10.20.254.2 255.255.255.248

no ip redirects

standby use-bia

standby 27 ip 10.20.254.1

standby 27 priority 120

standby 27 preempt

standby 27 authentication vlan27

!

router eigrp 600

network 10.20.0.0 0.0.255.255

auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.20.254.3

ip route 10.20.14.0 255.255.255.0 10.20.112.4

ip route 10.20.246.128 255.255.255.128 10.20.246.10

ip route 10.27.0.0 255.255.0.0 10.21.1.251

ip http server

!

access-list 2601 permit ip 10.20.0.0 0.0.255.255 10.20.100.0 0.0.3.255

access-list 2601 permit ip 10.20.0.0 0.0.255.255 10.20.254.0 0.0.0.7

access-list 2601 permit ip 172.16.112.0 0.0.0.255 any

access-list 2602 permit ip 10.21.0.0 0.0.7.255 10.20.100.0 0.0.3.255

access-list 2602 permit ip 10.21.8.0 0.0.7.255 10.20.100.0 0.0.3.255

access-list 2602 permit ip 10.21.16.0 0.0.7.255 10.20.100.0 0.0.3.255

access-list 2602 permit ip 10.21.24.0 0.0.7.255 10.20.100.0 0.0.3.255

access-list 2602 permit ip 10.21.0.0 0.0.7.255 10.20.254.0 0.0.0.7

access-list 2602 permit ip 10.21.8.0 0.0.7.255 10.20.254.0 0.0.0.7

access-list 2602 permit ip 10.21.16.0 0.0.7.255 10.20.254.0 0.0.0.7

access-list 2602 permit ip 10.21.24.0 0.0.7.255 10.20.254.0 0.0.0.7

Thanks for any help

AFE

Georg Pauwen · ‎12-06-2003

Hello,

a few questions to clarify what you want:

a) only access to "internet" and to the VLAN "Shared Services"

--> who should be able to access the Internet and the VLAN "Shared Services" ?

b) Vlan restricting communikation between VLANs

--> do you want to configure a VACL so that no VLAN can talk to any other VLAN ?

c) the Systemmanagement and Netzwerkmanagement Vlan without any restriction

--> these two VLANs should be able to talk to each other without restriction, but to no other VLAN ?

What have you configured so far, how does your VACL look so far ?

Regards,

Georg

aessome · ‎12-08-2003

Hello Georg

a) only access to "internet" and to the VLAN "Shared Services"

--> who should be able to access the Internet and the VLAN "Shared Services" ? YES

b) Vlan restricting communikation between VLANs

--> do you want to configure a VACL so that no VLAN can talk to any other VLAN ? YES

c) the Systemmanagement and Netzwerkmanagement Vlan without any restriction

--> these two VLANs should be able to talk to each other without restriction,YES

but to no other VLAN ? YES there should be talk to other also