Re: Access List between L3 VLANs

rami.saber · ‎08-27-2011

Hi

I have a scenario where different L3 VLANs are defined in a cisco c6500. I want to deny one Student VLAN (VLAN A) to access one Faculty VLAN (VLAN B)

I tried defining an access list which has a source from vlan a to vlan b with a permit at the end

ip access list extended TEST

deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b

permit ip any any

interface VlanB

ip access-group TEST in

The problem is when I apply this access list under the destination VLAN (VLAN B) the only hits are to the permit any any and Student users are accessing Faculty users

But when I apply it on the source VLAN (VLAN A)

interface VLANA

ip access-group TEST in

The students are not able to access the Faculty and the access list works

is there anything missing in the configuration becasue it is much more convinent to apply the access list on the Faculty VLAN not the Student VLAN

Thanks

Collin Clark · ‎08-27-2011

Try swapping the direction of the ACL-

interface VlanB

ip access-group TEST out

glen.grant · ‎08-27-2011

you would have to rewrite the ACL so that the source is the faculty vlan address space is denied to the student vlan and permit any any to everywhere else if you want to apply it to the faculty vlan. Remember "in" is traffic coming into the SVI from the local lan .

rami.saber · ‎08-27-2011

I tried changing the direction to out with no luck

I also swapped the address so the access list is

ip access list extended TEST

deny ip b.b.b.b b.b.b.b a.a.a.a a.a.a.a

permit ip any any

interface VlanB

ip access-group TEST in

Also with no luck..

vlad.vlaicu · ‎08-27-2011

Hi. Why are you saying it is more convinent to apply the access list on the Faculty VLAN not the Student VLAN? I know that when using extended ACL it is best to apply them as close to the source as possible.

Let's say you want to go the hard way, if you swap the direction to out on the Faculty VLAN, do you get hits on permit any any?

rami.saber · ‎08-27-2011

Actully it is true it is best to configure the acl at the closest to source as possible but in our scenario we have around 20 Student VLANs and 2 Faculty VLANs. It is easier to configure only two acl on the Faculty vlan interfaces than to configure 20 acl on each Student VLAN interface.

Yes I am getting hits on the permit any any

vlad.vlaicu · ‎08-27-2011

The following configuration seems right:

ip access list extended TEST

deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b

permit ip any any

interface VlanB

ip access-group TEST out

If this doesn't work, try the most basic issues because you can never know. Check if the IPs are correct, to have only one ACL per interface, per direction and be careful if you use NAT

tamassini · ‎08-27-2011

Hi Rami,

Why don't you use VACLs. Below an example you can use on Faculty Vlan (VLB):

ip access list extended TEST

deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b

permit ip any any

vlan access-map Filter-VLA-TO-VLB 10

action drop

match ip address TEST

!

vlan access-map Filter-VLA-TO-VLB 20

action forward

!

! Apply the VLAN map to VLAN B

vlan filter Filter-VLA-TO-VLB vlan-list 100 ! VLB id = 100

HTH,

Aliou

JohnTylerPearce · ‎08-29-2011

I understand what you are trying to do but a better way to accomplish this would be the following.

Block the traffic at the source, that way it doesn't traverse the network and then get blocked. You can

save traffic doing it this way. If you put the following ACL inbound on VLAN A, the traffic will not even

traverse the first hop.

interface VlanA
ip access-group TEST in

access-list 101 deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b
access-list 101 permit ip any any

That way when traffic from a.a.a.a goes to b.b.b.b the access list
will stop it before it goes across the network. Everything else
will be allowed since you have the permit ip any any on the last
line.