cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1281
Views
0
Helpful
11
Replies

ACL - Restrict Specific Network

CMack6
Level 1
Level 1

Hello Everyone,

I'm new to ACLs and I need some assistance please.  I have attached a simple topology with what I am working with. 

Basically, I have 3 networks, 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24.  The two locations are connected via a VPN with a Vlan (Vlan 100) serving as the link between the two L3 switches.  I need to restrict traffic going to Vlan 1 to only be from Vlan 2.  Vlan 3 is not allowed to connect to any devices on Vlan 1. 

I've tried to create an ACL on Switch #1 to restrict the traffic on the outbound interface, but I can't seem to get it right.  Can anyone please advise how I would go about creating this?  

Thank you!!!

11 Replies 11

if your VPN is IPsec you can use access-group under ipsec map 
check below example

https://popravak.wordpress.com/2011/11/07/cisco-ios-vpn-filter/

 

My apologies, it's an E-Line that is provided by a third party, not a VPN.  So, no IPsec running on my switches.  

if this only ACL look at the below example :

https://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

post the configuration you are using, and that is not working.

You could use PBR and route the desired traffic towards a Null interface:

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map PBR_RM permit 10
match ip address 101
set set interface null0
!
route-map PBR_RM permit 20
!
interface Vlan 100
ip policy route-map PBR_RM

Hello!

Thanks for the reply!  Below is the configuration that I was attempting to use.

 

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

interface TenGig 1/1/4

switchport mode trunk

switchport trunk allowed vlan 100

switchport native vlan 999

 

I applied the access list to the interface on Switch 1 for outbound traffic. 

 

I also attempted the following which I applied in the same fashion to the outbound interface:

 

ip access-list extended Only-Vlan-2

            permit 192.168.2.0

            deny any any

Hello,

--> I applied the access list to the interface on Switch 1 for outbound traffic.

Which interface is that ? Post the configuration of that interface.

Sorry, the outbound interface is this one.

 

interface TenGig 1/1/4

switchport mode trunk

switchport trunk allowed vlan 100

switchport native vlan 999

IPv4 ACL Network Interfaces

The following restrictions apply to IPv4 ACLs to network interfaces:

  • When controlling access to an interface, you can use a named or numbered ACL.

     

  • If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.

     

  • If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.

     

  • If the preauth_ipv4_acl ACL is configured to filter packets, the ACL is removed after authentication.

  • You do not have to enable routing to apply ACLs to Layer 2 interfaces.

                                                                              

You need to apply this on Layer 3 interface example :

config t

(config )# interface vlan X

(config) #ip access-group Only-Vlan-2 outbound or inbound depends on requirement

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ah okay!  I'll give that a shot today.  Thanks much!

Okay, I got this working.  Below is the configuration that I did.

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

int vlan 100

ip address 10.10.10.5 255.255.255.252

ip access-group 101 out

 

Thanks for the help everyone!  Greatly appreciate it!