Help with ACLs on 3750X!

kcTheAdmin · ‎03-20-2019

I'm a huge noob with Cisco routing and ACL's and need some help. Keep in mind, I accrued this network.

Layer 3 Core Switch with ACL's: cisco WS-3750X

We have a set of Internal VLANs under the following IP Schemes: 10.20.X.X and 10.222.X.X

We have another set of VLANS used for guest and the public: 10.200.X.X

We do not want 10.200.0.0 to access the 10.20.X.X and 10.222.X.X networks. How should I proceed with creating ACLs to get this working?

Thanks in advance!

Deepak Kumar · ‎03-20-2019

Hi,

You can configure VACL for the same. Here is a configuration guide for the same. Suppose VLAN 2 used for the Guest users.

interface Vlan2

Des Guest
ip address 10.200.X.X 255.255.255.0
!
interface Vlan3

Des User1
ip address 10.20.X.X 255.255.255.0
!

interface Vlan3

Des User2
ip address 10.222.X.X 255.255.255.0

!
access-list 101 permit ip 10.200.X.X 0.0.0.255 10.20.X.X 0.0.0.255
access-list 101 permit ip 10.200.X.X 0.0.0.255 10.222.X.X 0.0.0.255
!
access-list 102 permit ip any any
!

vlan access-map VACL 10
match ip address 101
action drop

!
vlan access-map VACL 20
match ip address 102
action forward

!

vlan filter VACL vlan-list 2

Reagrds,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

luis_cordova · ‎03-20-2019

Hi @kcTheAdmin ,

Assuming that your networks have a /24 mask, try this:

access-list 10 deny 10.200.X.X 0.0.0.255

access-list 10 permit any

Now, this list must be applied to the two interfaces in which the networks to be denied are configured.

Assuming that these networks are associated with VLANs 10 and 20:

interface vlan 10

ip access-group 10 out

interface vlan 20

ip access-group 10 out

I hope this is useful for you

Regards