Solved: ACL to block VLAN 10 from talking to VLAN 20 and vice versa

bobIT · ‎11-25-2018

Hey guys,

I have 3 sites; Parramatta, Chatswood and Ryde.

I need to create an ACL to block VLAN 10 (Student-Staff VLAN) talking with VLAN 20 (Admin VLAN). The VLAN's will still need to be able to talk to their corresponding VLAN across sites.

The site on the left is Parramatta

The site in the middle is Chatswood

The site on the right is Ryde

I originally created an extended access list in the Chatswood site that looked like this:

Chatswood(config)#ip access-list extended ADMIN-ACL

Chatswood(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Chatswood(config-ext-nacl)#deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

Chatswood(config-ext-nacl)#deny ip 192.168.50.0 0.0.0.255 192.168.20.0 0.0.0.255

Chatswood(config-ext-nacl)#permit ip any any

[Those 3 networks are the Student-Staff networks]

I then went into G0/0.20 (The admin sub interface)

Chatswood(config-subif)#ip access-group ADMIN-ACL in

However the student-staff vlans can still talk to the admin vlan in chatswood.

Thanks guys

Seb Rupik · ‎11-25-2018

Hi there,

You need to block the traffic leaving the Admin sub-interface:

!
int gi0/0.20
  ip access-group ADMIN-ACL out
!

However if makes more sense to block the traffic at the earliest point, so blocking on ingress at the student-staff interface makes more sense. Now the ACL should be applied inbound:

!
int gi0/0.10
  ip access-group ADMIN-ACL in
!

Cheers,

Seb.

View solution in original post

Seb Rupik · ‎11-25-2018

Hi there,

You need to block the traffic leaving the Admin sub-interface:

!
int gi0/0.20
  ip access-group ADMIN-ACL out
!

However if makes more sense to block the traffic at the earliest point, so blocking on ingress at the student-staff interface makes more sense. Now the ACL should be applied inbound:

!
int gi0/0.10
  ip access-group ADMIN-ACL in
!

Cheers,

Seb.