Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
0
Helpful
6
Replies

ACL Switching

Go to solution
nathanllp
Level 1
Level 1

‎02-14-2013 08:18 AM - edited ‎03-07-2019 11:43 AM

Hello guys.


I don't too much exp, so, I'd like your opinion about some ACL I need to configure.


Basicaly, I have this VLANs;

CPD; 10.0.2.0/24

USERS; 10.0.2.0/24

ADM; 10.0.1.0/24

SERVERS; 10.0.6.0/24

MmGt; 192.168.100.0/24


Rules;

CPD access everybody

Everybordy access SERVERS

ADM, USERS no access each other


I thought to configure extended acls, like this;


permit ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255

permit ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255


And so on...


Probably there's a better way. What do you guys suggest me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrestruwe
Level 1
Level 1
In response to nathanllp

‎02-14-2013 09:05 PM

Hello Nathan,

an ACL does only deny or permit access. Lets say you want to deny traffic from source 1 to target 1 then your traffic is just denied in one direction. Traffic from target 1 back to source 1 isn't denied. You have to define it explicitly.

Instead of using an extended ACL you can do the following:

Let's say that you have a single interface for every VLAN. You can put a standard ACL on every VLAN interface to block incoming traffic. In your case on the USERS VLAN block incoming traffic from ADM. Traffic from USERS can go out but no traffic from ADM can come in. Now do the same in your ADM VLAN: Block incoming traffic from USERS and you're done.

VACL (VLAN Access Control List)

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

View solution in original post

0 Helpful
6 Replies 6

Go to solution
andrestruwe
Level 1
Level 1

‎02-14-2013 11:47 AM

Hello Nathan,

first of all, just to make sure:

"Rules;

CPD access everybody

Everybordy access SERVERS

ADM, USERS no access each other"

ADM and USERS shouldn't access each other means that ADM can't access USERS and USERS can't access ADM?

If so, my personal solution would be this:

deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip any any

Not the secure way, but maybe shorter.

0 Helpful

Go to solution
nathanllp
Level 1
Level 1
In response to andrestruwe

‎02-14-2013 04:18 PM

I got it.

Just a question; Cisco Switches create a "State Table" for ACLs?

For example, if I set a rule saying that CPD access ADM, automatically, the sw create a rule for the packet come back??

0 Helpful

Go to solution
andrestruwe
Level 1
Level 1
In response to nathanllp

‎02-14-2013 09:05 PM

Hello Nathan,

an ACL does only deny or permit access. Lets say you want to deny traffic from source 1 to target 1 then your traffic is just denied in one direction. Traffic from target 1 back to source 1 isn't denied. You have to define it explicitly.

Instead of using an extended ACL you can do the following:

Let's say that you have a single interface for every VLAN. You can put a standard ACL on every VLAN interface to block incoming traffic. In your case on the USERS VLAN block incoming traffic from ADM. Traffic from USERS can go out but no traffic from ADM can come in. Now do the same in your ADM VLAN: Block incoming traffic from USERS and you're done.

VACL (VLAN Access Control List)

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

0 Helpful

Go to solution
nathanllp
Level 1
Level 1
In response to nathanllp

‎02-15-2013 02:21 AM

Tnks Andre.

I know the theory, but I don't have exp. in ACL, so, sometimes is seems to bem harder. I was thinking exactly like this, but, I couldn't find a straight clear answer.

Tnk you man.

0 Helpful

Go to solution
tobyarnett
Level 1
Level 1

‎02-14-2013 08:47 PM

Switches maintain ARP tables. When you start applying access lists I am thinking you have an L3 switch? Also do you need help writing that ACL or did I misunderstand the question. If you need the ACL what network are you applying it on. That will determine which IP is source and destination.


-Toby


Sent from Cisco Technical Support Android App

-Toby


Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan
0 Helpful

Go to solution
nathanllp
Level 1
Level 1
In response to tobyarnett

‎02-15-2013 02:28 AM

Hello Toby

Yes, this a L3 Sw question. I'm dealing with routing switching, blocking with ACLs.

I was asking suggestion to create my ACLs, because I don't have exp with it.

Basically I have 4 VLANs;

ADM       10.0.1.0/24

TI            10.0.2.0/24

USERS   10.0.3.0/24

SERVER 10.0.6.0/24

I need to set a ACLs to make the following;

TI access ADM, USERS and SERVER

TI, ADM and USERS access SERVER

ADM doesn't access USERS and TI

USERS doesn't acces ADM, TI

I think in something like this;

VLAN   10 (ADM)
deny ip   10.0.3.0 0.0.0.255
permit ip   10.0.2.0 0.0.0.255
permit ip   10.0.6.0 0.0.0.255




VLAN 20 (TI)
permit ip   10.0.1.0 0.0.0.255
permit ip   10.0.2 0.0.0.255
permit ip   10.0.6.0 0.0.0.255
permit ip   10.0.3.0 0.0.0.255




VLAN 30 (USERS)
deny ip   10.0.1.0 0.0.0.255
permit ip   10.0.2.0 0.0.0.255
permit ip   10.0.6.0 0.0.0.255




VLAN 60 (SERVER)
permit ip   10.0.1.0 0.0.0.255
permit ip   10.0.2 0.0.0.255
permit ip   10.0.6.0 0.0.0.255

permit ip   10.0.3.0 0.0.0.255

What do you suggest?


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card