cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
632
Views
0
Helpful
9
Replies
network770
Beginner

denying access to a vlan

I have 3 3750's (not stacked, they are at different floors) with a total of 60 user vlans all together, we are trying to allow each vlan to the internet and block access to any other vlan.

so say

vlan2 : 192.168.2.0\24

vlan3 : 192.168.3.0\24

...

...

vlan61 : 192.168.61.0\24

how would the access lists look like?

if i understand this correctly, this would take 100's of acls to achieve?

9 REPLIES 9
Jon Marshall
Hall of Fame Guru

network770 wrote:

I have 3 3750's (not stacked, they are at different floors) with a total of 60 user vlans all together, we are trying to allow each vlan to the internet and block access to any other vlan.

so say

vlan2 : 192.168.2.0\24

vlan3 : 192.168.3.0\24

...

...

vlan61 : 192.168.61.0\24

how would the access lists look like?

if i understand this correctly, this would take 100's of acls to achieve?

it would take 60 acls but each acl would need 60 entries unless you can summarise. Each acl would look like eg.

vlan 10 = 192.168.5.0/24

vlan 11  = 192.168.6.0/24/24

vlan 12 = 192.168.7.0/24

etc...

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

etc.. for each of the other vlan subnets

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int vlan 10

ip access-group 101 in

and then you need to do the same for all the other vlans.

As you can see a lot of work. One shortcut however would be to rely on the fact that the internet uses public addressing and you are very likely using private addressing. So leys say you are using 192.168.0.0 address (although the same applied to 172.16 -> 31.x.x and 10.x.x.x addressing) your acl for each vlan would be -

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int vlan 10

ip access-group 101

as you can see the acl is a lot shorter but you still need to write out 60 acls one for each vlan.

Jon

hobbe
Rising star

Hi

I am not shure that setting up acl´s is the right way to "secure" the endstations.

Even if you manage to make access-lists that covers most scenarios you still will not block netbios, ipx/spx and so on the only thing that gets blocked is IP.

If I where you I would take a look at private vlan instead.

Good luck

HTH

hobbe wrote:

Hi

I am not shure that setting up acl´s is the right way to "secure" the endstations.

Even if you manage to make access-lists that covers most scenarios you still will not block netbios, ipx/spx and so on the only thing that gets blocked is IP.

If I where you I would take a look at private vlan instead.

Good luck

HTH

Hmmm, but netbios is broadcast based so it won't go between vlans unless you run netbios over IP in which case the acl will work. IPX will only go between vlans if you enable IPX routing and the OP made no mention of IPX.

Jon

Would a vlan acl work?

ie:

vlan access-map VLAN-MAP 10
action drop
match ip address DENY-INTERNAL
vlan access-map VLAN-MAP 20
action forward
match ip address INTERNET
!
vlan filter VLAN-MAP vlan-list 10-30

!

ip access-list standard INTERNET
permit any
!
ip access-list extended DENY-INTERNAL
permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

Yes it could work but to restrict traffic between vlans it is more standard to simply use acls on the L3 vlan interfaces.

Jon

Jon you are absolutely correct.

For some reason I was thinking he wanted to use the same vlan just acl to block Ip addresses within that vlan.

My mistake.

Sorry!

You can disregard my posting above.

No problem and no need to apologise. You should see some of the posts i have done in the past after misreading the question

Here is my access-list

Extended IP access list 102

    10 deny ip 172.16.0.0 0.0.0.255 172.0.0.0 0.255.255.255 (32 matches)

    11 deny ip 172.16.0.0 0.0.0.255 192.0.0.0 0.255.255.255

    12 deny ip 172.16.0.0 0.0.0.255 172.17.0.0 0.0.255.255

    20 permit ip 172.16.0.0 0.0.0.255 any

I am unable to ping any of the 172.16.X.0 segments from 172.16.0.1 but I am able to ping 172.17.X.0, shouldn't the first line cover it as it is a /8?

I am also able to ping 192 segments and I am noticing that in both cases the acl counter is not incrementing

as you recommended I have the acl applied on the vlan interface incoming

Steven Tolzmann
Beginner

I suggest summarization

access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 100 permit ip any any

interface **

ip access-group 100 out

Should be do-able with only one ACL.