Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
5
Helpful
3
Replies

3750G ACLs not working

vitesse50
Level 1
Level 1

‎09-18-2012 10:21 AM - edited ‎03-07-2019 08:57 AM

I am trying to create an ACL that walls off a VLAN and only allows it to the internet. This is on a 3750G, currently the 3750G I am attempting this on is in a stack. I have another 3750G that is a standalone.

The first way I attempted this was to create two access-lists:

access-list 101 permit tcp 10.249.1.0 0.0.0.255 any eq 80

access-list 102 permit tcp any 10.249.1.0 0.0.0.255 established

Let's call the 10.249.1.0 VLAN 2. I applied this to the VLAN2 interface, 101 out, 102 in. It didn't work. If I place a deny statement with nothing else, that works.

The second attempt was this:

access-list 101 deny ip 10.249.1.0 0.0.0.255 any

access-list 101 permit ip any any

I applied this to a VLAN I wanted to block VLAN2's traffic from reaching, let's call that one VLAN 3.

This lets all traffic from any VLAN (including the one I'm trying to block). If I remove the "permit ip any any", then all VLANs are denied. Which I understand is correct due to the implied deny all. What I don't understand is why it isn't applying the ACL to the specific VLAN.

I'm very new to using ACLs, and I'm feel like I'm missing a basic thing to make this work.

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎09-18-2012 11:03 AM

Hi,

lets suppose you have vlan 2 and vlan 3:

int vlan 2

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

int vlan 3

ip address 192.168.3.1 255.255.255.0

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list permit ip any any

Just edit the ACL to deny the other destinations( vlan subnets) and you're good to go.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

vitesse50
Level 1
Level 1
In response to cadet alain

‎09-19-2012 09:13 AM

That worked.

I do have further questions: Does the 3750G not support outbound ACLs? As I mentioned before, I am trying to nail down a VLAN for internet traffic only, it cannot access other VLANs on our LAN. I understand how to use the example you gave to accomplish this. Can I do it with TCP port filtering, or will I have to just use VLANs?

For example, I had these ACLs enable on the VLAN I wanted to restrict, and again they didn't work:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443

access-list 102 permit tcp 192.168.1.0 0.0.0.255 any eq established

ip access-group 101 out

ip access-group 102 in

The only thing I can think of is I should have it opened up to the VLAN it needs to leave our LAN to get to the internet. Even still, it did not restict traffic from the VLAN, for example you could telnet, SSH out to other devices.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to vitesse50

‎09-19-2012 11:40 AM

Hi,

you should try

ip access-group 101 in

ip access-group 102 out

But if there is a http/https server on any other VLAN then the communication with this server will work as you specified any as destination in your ACL.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card