Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1670
Views
0
Helpful
9
Replies

ACLs on VLAN

johnnyparada
Level 1
Level 1

‎01-29-2018 02:14 PM - edited ‎03-08-2019 01:36 PM

Hello all,

 

I need some assistance with creating some ACLs. In my environment I have a few vlans 192.168.101.0/24 - 192.168.105.0/24 (.102, .103, and .104 are in there as well), as well as the default vlan 192.168.1.0/24.

 

What I am trying to do is prevent traffic from any vlan to reach another (other than the default vlans - so that they may still reach the internet).

 

I would like to create some ACLs to accomplish this, but I am confused on in/out and how to actually apply them to each vlan. 

 

Can someone please point me in the correct direction?

 

Thank you in advance,

 

Johnny

 

Labels:
0 Helpful
9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni

‎01-29-2018 03:20 PM

Hi

 

You want to deny communication between all vlans except 192.168.1.0/24 just to access internet, right? Then don’t need to access all devices, you’ll need to access just the router to access internet.

 

The goal is to apply an acl as closest as possible to the source.

Let’s assume your router giving access to internet has IP 192.168.1.1.

I’ll do an example for VLAN 192.168.105.0/24 and you’ll be able to copy/paste and modify the acl for others.

 

ip access-list extended VLAN105

 permit ip 192.168.105.0 0.0.0.255 host 192.168.1.1

 deny ip 192.168.105.0 0.0.0.255 192.168.101.0 0.0.0.255

 deny ip 192.168.105.0 0.0.0.255 192.168.102.0 0.0.0.255

 deny ip 192.168.105.0 0.0.0.255 192.168.103.0 0.0.0.255

 deny ip 192.168.105.0 0.0.0.255 192.168.104.0 0.0.0.255

 permit ip 192.168.105.0 0.0.0.255 any

!

interface vlan 105

 ip access-group VLAN105 in

 

Now an other example for VLAN104 (192.168.104.0/24)

 

ip access-list extended VLAN104
permit ip 192.168.104.0 0.0.0.255 host 192.168.1.1
deny ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
permit ip 192.168.104.0 0.0.0.255 any
!
interface vlan 104
ip access-group VLAN104 in

 

Try that and let me know


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

johnnyparada
Level 1
Level 1
In response to Francesco Molino

‎01-31-2018 05:47 PM

Hello Francesco,

 

Here's what I  get when I try to enter the command:

 

CoreSwitch(config-ip-al)#permit ip 192.168.105.0 0.0.0.255 host 192.168.1.1
% Wrong number of parameters or invalid range, size or characters entered

 

Am I entering it incorrectly. 

 

Btw my switch is a cisco SG500x

 

Thanks,

 

John

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to johnnyparada

‎01-31-2018 06:14 PM

Ok. On SG500 if i recall correctly you don't have the keyword host.
You need to replace host 192.168.1.1 by 192.168.1.1 0.0.0.0

Try that and let me know

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

johnnyparada
Level 1
Level 1
In response to Francesco Molino

‎02-04-2018 11:18 AM

ok, thank you.

 

Any reason why I get "unrecognized command" when I apply the acl to the vlan?

ip access-extended 104

 

 

int vlan 104

ip access-group 104 in

"%unrecognized command%"

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to johnnyparada

‎02-04-2018 11:56 AM

Take a look on SG500 cli commands: (page 109)
https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf

Instead of ip access-group you should use service-acl input.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

johnnyparada
Level 1
Level 1
In response to Francesco Molino

‎02-07-2018 10:27 AM

Francesco,

 

Will I need to allow the DHCP service to get through the ACL? As of now, my PCs are not able to obtain an IP from the Router at 192.168.1.1 (which they do before I implemented the ACL)?

 

john

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to johnnyparada

‎02-07-2018 04:08 PM

Can you paste the exact acl you've applied and tell me what's IP of DHCP server?

Depending on that information, yes you have to add it or it's already added if you've a permit ip xxx


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

johnnyparada
Level 1
Level 1
In response to Francesco Molino

‎02-08-2018 06:27 AM

The router (and dhcp) is at IP 192.168.1.1. 

 

Here are my ACLs. I applied them, but had to remove them until I can get this sorted out. Also, I attached my switch and router configs (the switch shows the IP helper addresses, and the router has all the DHCP info).

 

 

Thank you,

 

John

Preview file
24 KB
Preview file
15 KB
Preview file
20 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to johnnyparada

‎02-08-2018 06:09 PM

You DHCP server is 192.168.1.1

 

On all ACLs, your first line is :

    permit  ip 192.168.105.0 0.0.0.255 host 192.168.1.1

 

This means that traffic for DHCP to 192.168.1.1 should be allowed.

 

Have you tested it?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card