cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
816
Views
0
Helpful
6
Replies

ACL Switching

nathanllp
Level 1
Level 1

Hello guys.


I don't too much exp, so, I'd like your opinion about some ACL I need to configure.


Basicaly, I have this VLANs;

CPD; 10.0.2.0/24

USERS; 10.0.2.0/24

ADM; 10.0.1.0/24

SERVERS; 10.0.6.0/24

MmGt; 192.168.100.0/24


Rules;

CPD access everybody

Everybordy access SERVERS

ADM, USERS no access each other


I thought to configure extended acls, like this;


permit ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255

permit ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255


And so on...


Probably there's a better way. What do you guys suggest me?

1 Accepted Solution

Accepted Solutions

Hello Nathan,

an ACL does only deny or permit access. Lets say you want to deny traffic from source 1 to target 1 then your traffic is just denied in one direction. Traffic from target 1 back to source 1 isn't denied. You have to define it explicitly.

Instead of using an extended ACL you can do the following:

Let's say that you have a single interface for every VLAN. You can put a standard ACL on every VLAN interface to block incoming traffic. In your case on the USERS VLAN block incoming traffic from ADM. Traffic from USERS can go out but no traffic from ADM can come in. Now do the same in your ADM VLAN: Block incoming traffic from USERS and you're done.

VACL (VLAN Access Control List)

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

View solution in original post

6 Replies 6

andrestruwe
Level 1
Level 1

Hello Nathan,

first of all, just to make sure:

"Rules;

CPD access everybody

Everybordy access SERVERS

ADM, USERS no access each other"

ADM and USERS shouldn't access each other means that ADM can't access USERS and USERS can't access ADM?

If so, my personal solution would be this:

deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip any any

Not the secure way, but maybe shorter.

I got it.

Just a question; Cisco Switches create a "State Table" for ACLs?

For example, if I set a rule saying that CPD access ADM, automatically, the sw create a rule for the packet come back??

Hello Nathan,

an ACL does only deny or permit access. Lets say you want to deny traffic from source 1 to target 1 then your traffic is just denied in one direction. Traffic from target 1 back to source 1 isn't denied. You have to define it explicitly.

Instead of using an extended ACL you can do the following:

Let's say that you have a single interface for every VLAN. You can put a standard ACL on every VLAN interface to block incoming traffic. In your case on the USERS VLAN block incoming traffic from ADM. Traffic from USERS can go out but no traffic from ADM can come in. Now do the same in your ADM VLAN: Block incoming traffic from USERS and you're done.

VACL (VLAN Access Control List)

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

Tnks Andre.

I know the theory, but I don't have exp. in ACL, so, sometimes is seems to bem harder. I was thinking exactly like this, but, I couldn't find a straight clear answer.

Tnk you man.

tobyarnett
Level 1
Level 1

Switches maintain ARP tables. When you start applying access lists I am thinking you have an L3 switch? Also do you need help writing that ACL or did I misunderstand the question. If you need the ACL what network are you applying it on. That will determine which IP is source and destination.


-Toby


Sent from Cisco Technical Support Android App

-Toby


Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan

Hello Toby

Yes, this a L3 Sw question. I'm dealing with routing switching, blocking with ACLs.

I was asking suggestion to create my ACLs, because I don't have exp with it.

Basically I have 4 VLANs;

ADM       10.0.1.0/24

TI            10.0.2.0/24

USERS   10.0.3.0/24

SERVER 10.0.6.0/24

I need to set a ACLs to make the following;

TI access ADM, USERS and SERVER

TI, ADM and USERS access SERVER

ADM doesn't access USERS and TI

USERS doesn't acces ADM, TI

I think in something like this;

VLAN   10 (ADM)
deny ip   10.0.3.0 0.0.0.255
permit ip   10.0.2.0 0.0.0.255
permit ip   10.0.6.0 0.0.0.255




VLAN 20 (TI)
permit ip   10.0.1.0 0.0.0.255
permit ip   10.0.2 0.0.0.255
permit ip   10.0.6.0 0.0.0.255
permit ip   10.0.3.0 0.0.0.255




VLAN 30 (USERS)
deny ip   10.0.1.0 0.0.0.255
permit ip   10.0.2.0 0.0.0.255
permit ip   10.0.6.0 0.0.0.255




VLAN 60 (SERVER)
permit ip   10.0.1.0 0.0.0.255
permit ip   10.0.2 0.0.0.255
permit ip   10.0.6.0 0.0.0.255

permit ip   10.0.3.0 0.0.0.255

What do you suggest?


Review Cisco Networking for a $25 gift card