Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
5
Replies

Cisco access list question for newbie

1mfarberg
Level 1
Level 1

‎02-02-2016 10:12 AM - edited ‎03-08-2019 04:26 AM

I have a 2960 switch with multiple vlans.   I would like one vlan in particular to not be accessible from any other vlan besides itself.  This is what I came up with.  The vlan is located in 10.1.20.0 /24

ip access-list extended acl_vlan1200_in

permit ip 10.1.20.0 0.0.0.255 any

deny ip any any

I have applied this access list to the vlan interface

interface vlan1200

ip address 10.1.20.1 255.255.255.0

access-group acl_vlan1200_in in

problem is traffic from other vlans make it the permit line when they should hit the deny line

ugggh

Labels:
0 Helpful
5 Replies 5

Juan Ospina
Level 1
Level 1

‎02-02-2016 10:29 AM

Hi 1mfarberg,

vlans are inherently secure and the 2960s don't route....so your issue is with the L3 device.  What is your L3 device?  You will need to do your access control there.

0 Helpful

1mfarberg
Level 1
Level 1
In response to Juan Ospina

‎02-02-2016 10:33 AM

In the production environment my core consists of a 3850.   For testing purposes in my lab, I am using the 2960 with ip routing enabled

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to 1mfarberg

‎02-02-2016 01:09 PM

Hello,

You need to change your access-list

ip access-list extended acl_vlan1200_out
 permit tcp any 10.1.20.0 0.0.0.255 established
 permit udp any 10.1.20.0 0.0.0.255
 permit icmp any 10.1.20.0 0.0.0.255 echo-reply
 deny ip any any
*************
interface vlan1200
 ip address 10.1.20.1 255.255.255.0
 access-group acl_vlan1200_out out

***

Out -Controls traffic from other VLANs to vlans1200.  Established and echo-reply assure that only replies from other vlans are allowed. For UDP traffic you can not do anything because UDP is stateless. You can only allow some certain ports.

As an example

permit udp  any eq domain 10.1.20.0 0.0.0.255

This will only allows DNS replies from extenal DNS server(other VLANs or outside).

**********

With above configuration you are only controls traffic to VLAN 1200. Outgoing traffic will not be controlled. IN will control outgoing traffic(vlan 1200 to outside), but it is not necessary unless you have specific concern. Outgoing traffic is usually allowed

IN and OUT are confusing. 

Hope it helps,

Masoud

0 Helpful

Juan Ospina
Level 1
Level 1
In response to 1mfarberg

‎02-02-2016 01:21 PM

Hi 1mfarberg,

I m sorry...I misunderstood what you were trying to do. I don't normally use the 2960s for L3 routing..their routing capabilities are very limited, only static.  But, It sounds like you are doing SVIs on the 2960 and you are trying to deny traffic to interface vlan1200 from any other SVI?   See if this works for you...the 192 networks in the acl are randoms, but you can sub for what you actually need.

ip access-list extended acl_vlan1200_in

deny ip 192.168.1.0.0.0.255 any

deny ip 192.168.2 0.0.0.255 any

       permit ip any any

interface vlan1200

ip address 10.1.20.1 255.255.255.0

access-group acl_vlan1200_in OUT

0 Helpful

Iulian Vaideanu
Level 4
Level 4

‎02-02-2016 11:19 AM

If you need to completely isolate hosts in vlan1200 from anything other than themselves, just delete interface vlan1200.  If you really want to use the access-list, try applying it on "out" instead of "in"...

0 Helpful
Customers Also Viewed These Support Documents