01-29-2018 02:14 PM - edited 03-08-2019 01:36 PM
Hello all,
I need some assistance with creating some ACLs. In my environment I have a few vlans 192.168.101.0/24 - 192.168.105.0/24 (.102, .103, and .104 are in there as well), as well as the default vlan 192.168.1.0/24.
What I am trying to do is prevent traffic from any vlan to reach another (other than the default vlans - so that they may still reach the internet).
I would like to create some ACLs to accomplish this, but I am confused on in/out and how to actually apply them to each vlan.
Can someone please point me in the correct direction?
Thank you in advance,
Johnny
01-29-2018 03:20 PM
Hi
You want to deny communication between all vlans except 192.168.1.0/24 just to access internet, right? Then don’t need to access all devices, you’ll need to access just the router to access internet.
The goal is to apply an acl as closest as possible to the source.
Let’s assume your router giving access to internet has IP 192.168.1.1.
I’ll do an example for VLAN 192.168.105.0/24 and you’ll be able to copy/paste and modify the acl for others.
ip access-list extended VLAN105
permit ip 192.168.105.0 0.0.0.255 host 192.168.1.1
deny ip 192.168.105.0 0.0.0.255 192.168.101.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.104.0 0.0.0.255
permit ip 192.168.105.0 0.0.0.255 any
!
interface vlan 105
ip access-group VLAN105 in
Now an other example for VLAN104 (192.168.104.0/24)
ip access-list extended VLAN104
permit ip 192.168.104.0 0.0.0.255 host 192.168.1.1
deny ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
permit ip 192.168.104.0 0.0.0.255 any
!
interface vlan 104
ip access-group VLAN104 in
Try that and let me know
01-31-2018 05:47 PM
Hello Francesco,
Here's what I get when I try to enter the command:
CoreSwitch(config-ip-al)#permit ip 192.168.105.0 0.0.0.255 host 192.168.1.1
% Wrong number of parameters or invalid range, size or characters entered
Am I entering it incorrectly.
Btw my switch is a cisco SG500x
Thanks,
John
01-31-2018 06:14 PM
02-04-2018 11:18 AM
ok, thank you.
Any reason why I get "unrecognized command" when I apply the acl to the vlan?
ip access-extended 104
int vlan 104
ip access-group 104 in
"%unrecognized command%"
02-04-2018 11:56 AM
02-07-2018 10:27 AM
Francesco,
Will I need to allow the DHCP service to get through the ACL? As of now, my PCs are not able to obtain an IP from the Router at 192.168.1.1 (which they do before I implemented the ACL)?
john
02-07-2018 04:08 PM
02-08-2018 06:27 AM
The router (and dhcp) is at IP 192.168.1.1.
Here are my ACLs. I applied them, but had to remove them until I can get this sorted out. Also, I attached my switch and router configs (the switch shows the IP helper addresses, and the router has all the DHCP info).
Thank you,
John
02-08-2018 06:09 PM
You DHCP server is 192.168.1.1
On all ACLs, your first line is :
permit ip 192.168.105.0 0.0.0.255 host 192.168.1.1
This means that traffic for DHCP to 192.168.1.1 should be allowed.
Have you tested it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide