08-27-2011 04:55 AM - edited 03-07-2019 01:55 AM
Hi
I have a scenario where different L3 VLANs are defined in a cisco c6500. I want to deny one Student VLAN (VLAN A) to access one Faculty VLAN (VLAN B)
I tried defining an access list which has a source from vlan a to vlan b with a permit at the end
ip access list extended TEST
deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b
permit ip any any
interface VlanB
ip access-group TEST in
The problem is when I apply this access list under the destination VLAN (VLAN B) the only hits are to the permit any any and Student users are accessing Faculty users
But when I apply it on the source VLAN (VLAN A)
interface VLANA
ip access-group TEST in
The students are not able to access the Faculty and the access list works
is there anything missing in the configuration becasue it is much more convinent to apply the access list on the Faculty VLAN not the Student VLAN
Thanks
08-27-2011 05:11 AM
Try swapping the direction of the ACL-
interface VlanB
ip access-group TEST out
08-27-2011 05:11 AM
you would have to rewrite the ACL so that the source is the faculty vlan address space is denied to the student vlan and permit any any to everywhere else if you want to apply it to the faculty vlan. Remember "in" is traffic coming into the SVI from the local lan .
08-27-2011 05:46 AM
I tried changing the direction to out with no luck
I also swapped the address so the access list is
ip access list extended TEST
deny ip b.b.b.b b.b.b.b a.a.a.a a.a.a.a
permit ip any any
interface VlanB
ip access-group TEST in
Also with no luck..
08-27-2011 06:06 AM
Hi. Why are you saying it is more convinent to apply the access list on the Faculty VLAN not the Student VLAN? I know that when using extended ACL it is best to apply them as close to the source as possible.
Let's say you want to go the hard way, if you swap the direction to out on the Faculty VLAN, do you get hits on permit any any?
08-27-2011 07:20 AM
Actully it is true it is best to configure the acl at the closest to source as possible but in our scenario we have around 20 Student VLANs and 2 Faculty VLANs. It is easier to configure only two acl on the Faculty vlan interfaces than to configure 20 acl on each Student VLAN interface.
Yes I am getting hits on the permit any any
08-27-2011 07:33 AM
The following configuration seems right:
ip access list extended TEST
deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b
permit ip any any
interface VlanB
ip access-group TEST out
If this doesn't work, try the most basic issues because you can never know. Check if the IPs are correct, to have only one ACL per interface, per direction and be careful if you use NAT
08-27-2011 01:27 PM
Hi Rami,
Why don't you use VACLs. Below an example you can use on Faculty Vlan (VLB):
ip access list extended TEST
deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b
permit ip any any
vlan access-map Filter-VLA-TO-VLB 10
action drop
match ip address TEST
!
vlan access-map Filter-VLA-TO-VLB 20
action forward
!
! Apply the VLAN map to VLAN B
vlan filter Filter-VLA-TO-VLB vlan-list 100 ! VLB id = 100
HTH,
Aliou
08-29-2011 04:58 AM
I understand what you are trying to do but a better way to accomplish this would be the following.
Block the traffic at the source, that way it doesn't traverse the network and then get blocked. You can
save traffic doing it this way. If you put the following ACL inbound on VLAN A, the traffic will not even
traverse the first hop.
interface VlanA
ip access-group TEST in
access-list 101 deny ip a.a.a.a a.a.a.a b.b.b.b b.b.b.b
access-list 101 permit ip any any
That way when traffic from a.a.a.a goes to b.b.b.b the access list
will stop it before it goes across the network. Everything else
will be allowed since you have the permit ip any any on the last
line.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide