Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2450
Views
0
Helpful
9
Replies

ACL on VLAN

Go to solution
puropuro1
Level 1
Level 1

‎10-21-2015 01:56 PM - edited ‎03-08-2019 02:19 AM

Hi to all.

 

I have a networking topology running on GNS3 with IOU.

 

So well, I have 3 swtiches running the same VTP configuration.

The server VTP switch is connected to the router that serves as a gateway for these switches.

Ok, what I want to know is how can I deny ICMP between the PCs connected to these three switches, but I want to allow ping to internet.

So what I was trying to do to reach that is create an ACL that I set on the subinterface that is paired with the VLAN that contains the PCs that I want to allow/deny icmp (of course, this is being settled on the gateway switch).

On the attachment you will find the lines of my ACL. (This allow ping all the equipments to the gateway address on the router, and to ping the internet but not between them, also allows DHCP service because my gateway router also serves as a DHCP server).

 

When I set that ACL on the subinterface and I test the configurations what I got is that my PCs are not able to ping to the internet (or any other network apart the blocket one) but I can ping between them, I mean the ACL is doing the inverse to the derised effect of the configuration.

 

Herein I am attaching the topology and the ACL config.

Labels:
Preview file
169 KB
Preview file
167 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-22-2015 12:13 AM

Hi there,

The VACL that you have configured will only affect traffic as it traverses the SVI (I'm not clear if you have set it in, out or both).

Since you are trying to prevent communication between devices in the same VLAN you should take a look at PACLs:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html#pgfId-1285529

 

Or maybe PVLANs would provide better separation between your devices on the same VLAN?:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swpvlan.html

 

cheers,

Seb.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-22-2015 12:13 AM

Hi there,

The VACL that you have configured will only affect traffic as it traverses the SVI (I'm not clear if you have set it in, out or both).

Since you are trying to prevent communication between devices in the same VLAN you should take a look at PACLs:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html#pgfId-1285529

 

Or maybe PVLANs would provide better separation between your devices on the same VLAN?:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swpvlan.html

 

cheers,

Seb.

0 Helpful

Go to solution
puropuro1
Level 1
Level 1
In response to Seb Rupik

‎10-27-2015 01:10 PM

I tried PVLAN.

 

I was able to isolate the private vlans but these were not able to get communicated with the promiscuous port , therefore I have a full isolation of these ports.

 

I associated my PVLAN to the main VLAN but nothing happens, total isolation between PVLANs (good) and between PVLANs and Promiscuous ports (BAD).

Seems PVLAN is the correct path, but there must be something wrong in my config that creates that problem.

0 Helpful

Go to solution
puropuro1
Level 1
Level 1
In response to Seb Rupik

‎10-27-2015 01:58 PM

Seb, there is something else I have to add.

 

The access switch is connected with two more switches running VTP, this is for redundance in case of failures.

 

So I need to know how to set PVLAN on a switch with trunking ports and native vlan.

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to puropuro1

‎10-28-2015 12:39 AM

So we get this right first time, can you provide the running config of the switches?

cheers,

Seb.

0 Helpful

Go to solution
puropuro1
Level 1
Level 1
In response to Seb Rupik

‎10-29-2015 02:59 PM

Seb! don't worry about that running config.

I realized both, IOS and Switch are not capable to implement PVLAN on trunking ports, to do so I must change my hardware and software!

So I decided to go with the VACL option, in this moment I'm learning about it, once I get something I will write a reply here.

However thank you very much for your patient, I will be updating my progress in this challenge.

0 Helpful

Go to solution
puropuro1
Level 1
Level 1
In response to Seb Rupik

‎10-29-2015 05:33 PM

Seb, I'm going to try onepk from Cisco Dev.

My problem goes beyond knownledge of command lines, hehe it's about lack of command options due to software incompatibilities.

By the way I'm going to tag your answer as correct, without your advice I would not know what is PVLAN or VACL because I'm just a CCNA.

0 Helpful

Go to solution
Vishalhathi
Level 1
Level 1
In response to Seb Rupik

‎04-04-2017 09:34 AM

Hi Everyone,

Could you please tell me which IOS support for GNS IOU ? i cant perform this practical on my IOU

Kindly provide me IOS name and version details.

Regards,

Vishal

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎10-22-2015 02:17 AM 

Hi to all.


I have a networking topology running on GNS3 with IOU.


So well, I have 3 swtiches running the same VTP configuration.

The server VTP switch is connected to the router that serves as a gateway for these switches.

Ok, what I want to know is how can I deny ICMP between the PCs connected to these three switches, but I want to allow ping to internet.

So what I was trying to do to reach that is create an ACL that I set on the subinterface that is paired with the VLAN that contains the PCs that I want to allow/deny icmp (of course, this is being settled on the gateway switch).

On the attachment you will find the lines of my ACL. (This allow ping all the equipments to the gateway address on the router, and to ping the internet but not between them, also allows DHCP service because my gateway router also serves as a DHCP server).


When I set that ACL on the subinterface and I test the configurations what I got is that my PCs are not able to ping to the internet (or any other network apart the blocket one) but I can ping between them, I mean the ACL is doing the inverse to the derised effect of the configuration.


Herein I am attaching the topology and the ACL config.

Hi,

You can achieve the requirement by VACL as per suggestion by Seb. Once you have configured the act you need to apply lan filter in that switch for which lan you are applying this acl.

Check out the below link on VACL for more clarification.

https://networklessons.com/cisco/vlan-access-list-vacl/

Hope it Helps..

-GI

Rate if it Helps..

0 Helpful

Go to solution
puropuro1
Level 1
Level 1

‎10-22-2015 03:12 AM

Thank you both for your replies, I will check your solutions and then I will tell you how it was with me.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card