ACL - Restrict Specific Network
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2022 03:44 AM
Hello Everyone,
I'm new to ACLs and I need some assistance please. I have attached a simple topology with what I am working with.
Basically, I have 3 networks, 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24. The two locations are connected via a VPN with a Vlan (Vlan 100) serving as the link between the two L3 switches. I need to restrict traffic going to Vlan 1 to only be from Vlan 2. Vlan 3 is not allowed to connect to any devices on Vlan 1.
I've tried to create an ACL on Switch #1 to restrict the traffic on the outbound interface, but I can't seem to get it right. Can anyone please advise how I would go about creating this?
Thank you!!!
- Labels:
-
Catalyst 9000
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2022 03:54 AM
if your VPN is IPsec you can use access-group under ipsec map
check below example
https://popravak.wordpress.com/2011/11/07/cisco-ios-vpn-filter/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2022 04:24 AM
My apologies, it's an E-Line that is provided by a third party, not a VPN. So, no IPsec running on my switches.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2022 04:44 AM
if this only ACL look at the below example :
https://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2022 04:49 AM - edited 11-08-2022 08:52 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2022 04:59 AM
Hello,
post the configuration you are using, and that is not working.
You could use PBR and route the desired traffic towards a Null interface:
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map PBR_RM permit 10
match ip address 101
set set interface null0
!
route-map PBR_RM permit 20
!
interface Vlan 100
ip policy route-map PBR_RM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2022 02:46 AM - edited 11-09-2022 02:54 AM
Hello!
Thanks for the reply! Below is the configuration that I was attempting to use.
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
interface TenGig 1/1/4
switchport mode trunk
switchport trunk allowed vlan 100
switchport native vlan 999
I applied the access list to the interface on Switch 1 for outbound traffic.
I also attempted the following which I applied in the same fashion to the outbound interface:
ip access-list extended Only-Vlan-2
permit 192.168.2.0
deny any any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2022 02:55 AM
Hello,
--> I applied the access list to the interface on Switch 1 for outbound traffic.
Which interface is that ? Post the configuration of that interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2022 02:56 AM
Sorry, the outbound interface is this one.
interface TenGig 1/1/4
switchport mode trunk
switchport trunk allowed vlan 100
switchport native vlan 999
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2022 03:36 AM - edited 11-09-2022 03:38 AM
IPv4 ACL Network Interfaces
The following restrictions apply to IPv4 ACLs to network interfaces:
-
When controlling access to an interface, you can use a named or numbered ACL.
-
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.
-
If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.
-
If the preauth_ipv4_acl ACL is configured to filter packets, the ACL is removed after authentication.
-
You do not have to enable routing to apply ACLs to Layer 2 interfaces.
You need to apply this on Layer 3 interface example :
config t
(config )# interface vlan X
(config) #ip access-group Only-Vlan-2 outbound or inbound depends on requirement
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2022 03:38 AM
Ah okay! I'll give that a shot today. Thanks much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2022 03:41 AM
Okay, I got this working. Below is the configuration that I did.
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
int vlan 100
ip address 10.10.10.5 255.255.255.252
ip access-group 101 out
Thanks for the help everyone! Greatly appreciate it!
