07-16-2012 01:05 AM - edited 03-07-2019 07:47 AM
Hi,
I am not able to apply an access-list to FastEthernet 0 as the ip access-group is not supported in Interface mode but only in interface vlan mode.
How can I stop traffic into the LAN network?
Cheers,
Pei Wai.
Solved! Go to Solution.
07-16-2012 01:22 AM
Hello Leepewai,
an ACL is an OSI layer3 object so it can only be applied to a L3 interface that is the Vlan interface in your case as the fastethernet port is a switchport ( like a L2 LAN switch port) in your router.
You should be able to achieve the desired traffic filtering by applying the ACL on the SVI interface using ip access-group at interface vlan level.
Your only limitation is that you cannot filter traffic between fastethernet ports ( traffic within the IP subnet associated to the Vlan) that are member of the same L2 Vlan. This can be achieved on a multilayer switch like C3750 using VACL feature.
Hope to help
Giuseppe
07-16-2012 01:22 AM
Hello Leepewai,
an ACL is an OSI layer3 object so it can only be applied to a L3 interface that is the Vlan interface in your case as the fastethernet port is a switchport ( like a L2 LAN switch port) in your router.
You should be able to achieve the desired traffic filtering by applying the ACL on the SVI interface using ip access-group at interface vlan level.
Your only limitation is that you cannot filter traffic between fastethernet ports ( traffic within the IP subnet associated to the Vlan) that are member of the same L2 Vlan. This can be achieved on a multilayer switch like C3750 using VACL feature.
Hope to help
Giuseppe
07-16-2012 04:27 AM
Hello Giuseppe,
So I understood why ACL cannot be applied to fastethernet as it is switchport, thanks!
I have 2 subnet: VLAN 2 (office)-192.168.89.0/24 , VLAN 3 (wireless guest)-10.127.0.0/24.
Both VLAN can accesss to Internet, but VLAN 3 should not access to VLAN 2
I created an ACL:
Access-list 33 permit 192.168.89.0 0.0.0.255
Then I applied it to Interface VLAN 2:
INTERFACE VLAN 2
IP Access-Group 33 IN
However, I am still able to ping to the VLAN 2 (192.168.89.1) from the Guest PC.
Please advise how do I stop Guest PC to acccess to VLAN 2?
Cheers,
Pei Wai
07-16-2012 04:45 AM
Hello Pei Wai,
I would suggest to use an extended IP ACL as you want to block communication between Vlan2 and Vlan3
access-list 101 remark deny vlan3 to vlan2
access-list 101 deny ip 192.168.89.0 0.0.0.255 10.127.0.0 0.0.0.255
access-list 101 permit ip any any
int vlan2
ip access-group 101 in
This should break communication between vlan2 and vlan3 without impacting internet connectivity
Your ACL 33 allows traffic sourced from 192.168.89.0/24 including that with destination 10127.0.0/24
Hope to help
Giuseppe
07-16-2012 05:39 PM
Hi Giuseppe,
I tried the ACL 101 above and applied to VLAN 2 but traffic from wireless Guest network still can ping to 192.168.89.1 (VLAN 2 interface).
I even tried removing permit ip any any, traffic from Guest still can ping to 192.168.89.1.
note: access-point has its own module: service-module wlan-ap 0 session.
I tried to apply an ACL on the INT Gi0 and deny everyhing, but still not able to stop Guest to access to VLAN 2.
Please advise.
Pei Wai.
07-16-2012 06:58 PM
And also, 887 does not support vlan access-map.
07-16-2012 08:47 PM
Got it sorted.
I apply the ACL on int VLAN3:
access-list 113 deny ip 10.127.0.0 0.0.0.255 192.168.89.0 0.0.0.255
access-list 113 permit ip any any
INT VLAN3
ip access-group 113 in
Guest Traffic (10.127.0.0) to 192.168.89.0 is stopped at the entrance to VLAN3.
Cheers,
Pei Wai
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide