Solved: ACL for IoT VLAN

trbonja05 · ‎05-29-2019

I have a single VLAN for IoT devices and have to lock it down. Only required traffic must be permitted but to specific public IP address. No access to any other VLAN.

IoT VLAN network IP 172.16.8.0

IP and ports to be used

ICMP host 172.16.8.0 host A.B.C.E
A.B.C.D eq 443
A.B.C.E eq 53
Deny everything else.

This is what I have tried:

10 permit icmp host 172.18.8.0 host A.B.C.E
11 permit tcp host 172.16.8.0 host A.B.C.D eq 443
12 permit tcp host 172.16.8.0 host A.B.C.E eq domain
13 deny ip any any log

Thank you

Seb Rupik · ‎05-29-2019

Hi there,

Are you sure you just want to permit a singe host on the IoT VLAN? I'm guessing you want to permit the entire subnet, so your config should look like this:

!
int vlan 100
  desc IOT_VLAN
  ip address 172.16.8.0 255.255.255.0
  ip access-group 101 in
!
ip access-list 101 permit icmp 172.18.8.0 0.0.0.255 host A.B.C.E
ip access-list 101 permit tcp 172.18.8.0 0.0.0.255 host A.B.C.D eq 443
ip access-list 101 permit tcp 172.18.8.0 0.0.0.255 host A.B.C.E eq domain
ip access-list 101 deny ip any any log
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎05-29-2019

Hi there,

Are you sure you just want to permit a singe host on the IoT VLAN? I'm guessing you want to permit the entire subnet, so your config should look like this:

!
int vlan 100
  desc IOT_VLAN
  ip address 172.16.8.0 255.255.255.0
  ip access-group 101 in
!
ip access-list 101 permit icmp 172.18.8.0 0.0.0.255 host A.B.C.E
ip access-list 101 permit tcp 172.18.8.0 0.0.0.255 host A.B.C.D eq 443
ip access-list 101 permit tcp 172.18.8.0 0.0.0.255 host A.B.C.E eq domain
ip access-list 101 deny ip any any log
!

cheers,

Seb.

trbonja05 · ‎05-29-2019

Thanks Seb and I can't believe I've missed this one.

Regards,