Applying ACL's to VLAN Interfaces..?

shuhari00 · ‎03-25-2011

Hi,

I have a router-on-a-stick, which routes between different VLAN's.

Originally I thought I just use one of the switchports from my ethernet switch module and trunk there, and then apply access control lists to the "int vlan" directly, because it held the .1 gateway IP's.

Turns out I was wrong, it does nothing there. Turns out I don't know where to apply these ACL's.

So now I have a router-on-a-stick configuration...

Which is, on one of the routable interfaces on my 2911 router, I have sub-interfaces with the various VLANs on them, and their gateway IP's configured.

What I need to do is cut the VOICE vlan off from the Main Data VLAN, as well as the Guest vlan. I don't understand why this isn't working.

I've applied an access-list to the sub-interface gig0/2.99 in the form of "access-list 199 deny ip any any", but it's not blocking my ping to 10.101.99.1 from a different subnet.

Should I be applying these ACL's elsewhere?

Jon Marshall · ‎03-25-2011

Is 10.101.99.1 the router subinterface IP ?

If so either an inbound or outbound acl would not stop this ping working if you are pinging from a different subnet. Think of it like this -

fa0/0.10

encapsulation dot1 10

ip address 10.5.1.1 255.255.255.0

int fa0/0.11

encapsulation dot1q 11

ip address 10.6.1.1 255.255.255.0

access-list 101 deny ip any any

if you apply acl 101 inbound on fa0/0.10 that restricts traffic from any 10.5.1.x clients sending traffic to the router. It would also stop a ping of 10.5.1.1 working.

If you apply the acl outbound on fa0/0.10 that restricts all traffic coming from other subnets to clients on the 10.5.1.x subnet.

If you ping from the 10.6.1.x subnet and you ping a client in 10.5.1.x subnet (note a client not 10.5.1.1) then -

1) if the acl is applied inbound on fa0/0.10 the icmp ping would reach the client but the return traffic would be blocked

2) if the acl is applied outbound the icmp ping would never reach the client

however if you ping 10.5.1.1 then the inbound acl does not apply because traffic is not coming from a client on the 10.5.1.x subnet and the outbound acl does not apply because traffic is not going to a client on the 10.5.1.x subnet.

If you wanted to block traffic to the 10.5.1.1 router interface you would need to apply an acl inbound on fa0/0.11 (assuming you were pinging from a client on the 10.6.1.x subnet).

So basically to test your acls don't ping router interfaces, ping clients within the subnets connected to the router.

Jon

shuhari00 · ‎03-26-2011

Okay understood.

So I think I've figured it out to a good degree... but I'm trying to understand where the best place to put the ACL's are located.

I know it's "as close to source as possible", but in practise how does this look?

I have the following interfaces:

10.101.4.1

10.101.10.1

10.101.99.1

All different VLAN's, and they get routed through a router-on-a-stick port (dot1q encapsulation with sub interfaces).

.10.1 is Voice

99.1 is Guest

and .4.1 is my Main internal company LAN.

I need to make sure Voice and Guest are segregated, where they can route through the router to a far away destination or whatever, but I do not want them interacting with other subnets.

Where would I best place these ACL's? On each one, protecting .4.1 from .99.1 traffic, or?

Jon Marshall · ‎03-27-2011

access-list 101 deny ip 10.101.10.0 0.0.0.255 10.101.4.0 0.0.0.255

access-list 101 deny ip 10.101.10.0 0.0.0.255 10.101.99.0 0.0.0.255

access-list 101 permit ip 10.101.10.0 0.0.0.255 any

access-list 102 deny ip 10.101.99.0 0.0.0.255 10.101.4.0 0.0.0.255

access-list 102 deny ip 10.101.99.0 0.0.0.255 10.101.10.101.10.0 0.0.0.255

access-list 102 permit ip 10.101.99.0 any

then apply these acls to the relevant subinterfaces ie. -

int

ip access-group 101 in

int

ip access-group 102 in

Jon