Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
0
Replies

Acls On core switch

agomez1191
Level 1
Level 1

‎07-16-2015 02:07 PM

Hi I would like some insight on constructing an access list that prevents all the other ip ranges in Vlans 17-23 from entering Vlan 18 (192.168.18.0 /24) but that allows Vlan 18 to reach all other VLans and services. I'm not too familiar with applying ACLS to Vlans on a routed switch. Any info will be helpful. 

Below is a copy of the current configuration and an ACL that is applied to VLAN 20

interface Vlan1
 no ip address
 shutdown
!
interface Vlan17
 description MGMT
 ip address 192.168.17.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
interface Vlan18
 description FAMILY
 ip address 192.168.18.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
interface Vlan19
 description AV
 ip address 192.168.19.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
interface Vlan20
 description GUEST
 ip address 192.168.20.1 255.255.255.0
 ip access-group GUESTACL in
 no ip redirects
 no ip proxy-arp
!
interface Vlan21
 description SECURITY
 ip address 192.168.21.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
interface Vlan22
 description SECURITY2
 ip address 192.168.22.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
interface Vlan23
 description STAFF
 ip address 192.168.23.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
router rip
 version 2
 passive-interface default
 no passive-interface Vlan17
 network 192.168.17.0
 network 192.168.18.0
 network 192.168.19.0
 network 192.168.20.0
 network 192.168.21.0
 network 192.168.22.0
 network 192.168.23.0
 no auto-summary
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.17.2 name DEFAULT
!
ip access-list extended AV_NETWORK
 permit ip any 192.168.19.0 0.0.0.255
 permit ip 192.168.19.0 0.0.0.255 any
ip access-list extended GUESTACL
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit ip 192.168.20.0 0.0.0.255 host 192.168.17.10
 deny   ip 192.168.20.0 0.0.0.255 192.168.17.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 192.168.18.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 192.168.19.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 any
!

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents