Solved: Re: Acl on vlan interface question

dcarr3311 · ‎03-07-2012

I'm a bit confused about the directon of ACL's on Vlan intervaces

I'm trying to deny vlan 301 from accesing any ip's on vlan 302 does this make sence?

interface Vlan301

description wireless users

ip address 192.168.177.126 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan302

description Training

ip address 192.168.177.190 255.255.255.192

ip access-group wireless_restirct out

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-list extended wireless_restrict

deny ip 192.168.177.0 0.0.0.127 any log

permit ip any any

Edison Ortiz · ‎03-07-2012

That should work - just tried in the lab. BTW, remove the log keyword - it's not supported on catalyst switches.

ip access-list extended CISCO

deny ip 10.2.129.0 0.0.0.255 any

permit ip any any

interface Vlan1

ip address 10.2.129.250 255.255.255.0

no ip redirects

interface Vlan100

ip address 192.168.100.2 255.255.255.0

ip access-group CISCO out

Extended IP access list CISCO

10 deny ip 10.2.129.0 0.0.0.255 any (20 matches)

20 permit ip any any

ping 10.2.129.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.129.5, timeout is 2 seconds:

..

Extended IP access list CISCO

10 deny ip 10.2.129.0 0.0.0.255 any (25 matches)

20 permit ip any any

View solution in original post

John Blakley · ‎03-07-2012

In edition to Edison's response, the easiest way that I remembered in/out directions was by subnet. If you're on the vlan 301, you subnet is going to be 192.168.177.0/25. If you have a user that's addressed in that range, their source is going to be 192.168.177.0/25 going to . You can deny inbound on that vlan matching that source:

access-list 101 deny ip 192.168.177.0 0.0.0.127 192.168.177.64 0.0.0.63

access-list 101 permit ip any any

inter vlan 301

ip access-group 101 in

The addresses on the subnet that use vlan 301 as a gateway will go IN to the svi...any svi that they come OUT of would be in the out direction.

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Edison Ortiz · ‎03-07-2012

That should work - just tried in the lab. BTW, remove the log keyword - it's not supported on catalyst switches.

ip access-list extended CISCO

deny ip 10.2.129.0 0.0.0.255 any

permit ip any any

interface Vlan1

ip address 10.2.129.250 255.255.255.0

no ip redirects

interface Vlan100

ip address 192.168.100.2 255.255.255.0

ip access-group CISCO out

Extended IP access list CISCO

10 deny ip 10.2.129.0 0.0.0.255 any (20 matches)

20 permit ip any any

ping 10.2.129.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.129.5, timeout is 2 seconds:

..

Extended IP access list CISCO

10 deny ip 10.2.129.0 0.0.0.255 any (25 matches)

20 permit ip any any

John Blakley · ‎03-07-2012

In edition to Edison's response, the easiest way that I remembered in/out directions was by subnet. If you're on the vlan 301, you subnet is going to be 192.168.177.0/25. If you have a user that's addressed in that range, their source is going to be 192.168.177.0/25 going to . You can deny inbound on that vlan matching that source:

access-list 101 deny ip 192.168.177.0 0.0.0.127 192.168.177.64 0.0.0.63

access-list 101 permit ip any any

inter vlan 301

ip access-group 101 in

The addresses on the subnet that use vlan 301 as a gateway will go IN to the svi...any svi that they come OUT of would be in the out direction.

John

HTH, John *** Please rate all useful posts ***

dcarr3311 · ‎03-08-2012

thanks guys!