cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
252
Views
0
Helpful
1
Replies

VACL Implementation

mcaudle85
Level 1
Level 1

Our company is implementing 802.1x on our network. When a device auth fails it is moved to our guest vlan. I need to prevent any communication from one device to another within the vlan and only allow outbound communication. I am sure there are many better ways to do this but my boss want to implement VACLs for the guest vlan to prevent all intra network communication. The issue I am running into with what we have came up with is it cannot communication with out DHCP server. Below is the config that is currently running in our test environment. If someone can help me figure out how to get the clients and the DHCP server to talk but prevent all other intra network communications I would greatly appreciate it. 

 

vlan access-map DENY_INTRA_VLAN 5
match ip address ALLOW_DHCP
action forward
vlan access-map DENY_INTRA_VLAN 10
match ip address DENY_INTRA_VLAN
action drop
vlan access-map DENY_INTRA_VLAN 20
action forward

vlan filter DENY_INTRA_VLAN vlan-list 3

 

ip access-list extended ALLOW_DHCP
permit udp any eq bootpc any eq bootps
ip access-list extended DENY_INTRA_VLAN
permit ip 192.168.200.0 0.0.3.255 192.168.200.0 0.0.3.255
permit icmp 192.168.200.0 0.0.3.255 192.168.200.0 0.0.3.255
permit tcp 192.168.200.0 0.0.3.255 192.168.200.0 0.0.3.255
permit udp 192.168.200.0 0.0.3.255 192.168.200.0 0.0.3.255

1 Reply 1

You need to allow arp I think' the host/server use GARP to check of IP is use or not' add it to same VACL line of dhcp 

MHM