Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3815
Views
10
Helpful
6
Replies

How to configure ACL on Port-Channel

Go to solution
NoelAdrianGatchalian5946
Level 1
Level 1

‎10-24-2019 06:29 PM - edited ‎02-20-2020 09:46 PM

Hello Guys, 

 

I would like to ask if this is possible. I created a Lab using Cisco Packet Tracer version 7.2.2 and I was trying to configure an ACL policy for each VLAN. My question is, where and how do we configure an ACL in an multiple VLAN environment. Please see the image attached VLAN_ACL.PNGfor your reference. 

 

 

Labels:
Preview file
111 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎10-24-2019 07:09 PM

Hi @NoelAdrianGatchalian5946 

 

The ACL must be created and applied on the device that routes the vlan.
For example, if you use the router to route the vlan (RoaS), then the ACL must be created on the router and applied to the corresponding subinterface.

Now, if the vlan are being routed on the L3 switches, then the ACLs must be created on the L3 switch and applied to the corresponding vlan interface (SVI).

Regards

View solution in original post

6 Replies 6

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎10-24-2019 07:09 PM

Hi @NoelAdrianGatchalian5946 

 

The ACL must be created and applied on the device that routes the vlan.
For example, if you use the router to route the vlan (RoaS), then the ACL must be created on the router and applied to the corresponding subinterface.

Now, if the vlan are being routed on the L3 switches, then the ACLs must be created on the L3 switch and applied to the corresponding vlan interface (SVI).

Regards

Go to solution
NoelAdrianGatchalian5946
Level 1
Level 1
In response to luis_cordova

‎10-24-2019 07:21 PM

Hi Luis, 

 

As of the moment these VLANs are routed through L3 switches so in this case, should we configure the ACL policies and access group inside the VLAN interface like this? 

 

I.E. Scenario: VLAN 110 are not allowed to access VLAN 130 except other networks. 

 

DS2 (config)#access-list 1 deny 192.168.110.0 0.0.0.255

DS2 (config)#access-list 1 permit any 

DS2 (config)#interface VLAN 130

DS2 (config-if)#ip access-group 1 out

 

Thank you :) 

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to NoelAdrianGatchalian5946

‎10-24-2019 07:49 PM - edited ‎10-24-2019 07:50 PM

Hi @NoelAdrianGatchalian5946 

 

You are right :)


If you have more doubts, just post them and we will try to help you.

 

Regards

0 Helpful

Go to solution
NoelAdrianGatchalian5946
Level 1
Level 1
In response to luis_cordova

‎10-24-2019 09:30 PM

Thank you Luis :) 

 

I just performed the following syntax above but the VLAN 110 is still getting successful PING result from  a host in VLAN 130. I', trying to figure out what did I missed. 

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to NoelAdrianGatchalian5946

‎10-25-2019 02:24 AM

Hi @NoelAdrianGatchalian5946 

 

Please, compress your exercise (winzip) and attach it to check.

 

Regards

Go to solution
NoelAdrianGatchalian5946
Level 1
Level 1
In response to luis_cordova

‎10-25-2019 07:13 PM

Hi Luis, 

 

I was able to configure out the solution last night. simply the PT has bugs when I tried to relaunch the application all policies has been successfully applied. Issue is now resolved and really appreciate your assistance :) 

 

Thank you!

0 Helpful
Customers Also Viewed These Support Documents