04-03-2011 10:13 AM - edited 03-06-2019 04:24 PM
I have 3 3750's (not stacked, they are at different floors) with a total of 60 user vlans all together, we are trying to allow each vlan to the internet and block access to any other vlan.
so say
vlan2 : 192.168.2.0\24
vlan3 : 192.168.3.0\24
...
...
vlan61 : 192.168.61.0\24
how would the access lists look like?
if i understand this correctly, this would take 100's of acls to achieve?
04-03-2011 10:47 AM
network770 wrote:
I have 3 3750's (not stacked, they are at different floors) with a total of 60 user vlans all together, we are trying to allow each vlan to the internet and block access to any other vlan.
so say
vlan2 : 192.168.2.0\24
vlan3 : 192.168.3.0\24
...
...
vlan61 : 192.168.61.0\24
how would the access lists look like?
if i understand this correctly, this would take 100's of acls to achieve?
it would take 60 acls but each acl would need 60 entries unless you can summarise. Each acl would look like eg.
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.6.0/24/24
vlan 12 = 192.168.7.0/24
etc...
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
etc.. for each of the other vlan subnets
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
int vlan 10
ip access-group 101 in
and then you need to do the same for all the other vlans.
As you can see a lot of work. One shortcut however would be to rely on the fact that the internet uses public addressing and you are very likely using private addressing. So leys say you are using 192.168.0.0 address (although the same applied to 172.16 -> 31.x.x and 10.x.x.x addressing) your acl for each vlan would be -
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
int vlan 10
ip access-group 101
as you can see the acl is a lot shorter but you still need to write out 60 acls one for each vlan.
Jon
04-03-2011 12:54 PM
Hi
I am not shure that setting up acl´s is the right way to "secure" the endstations.
Even if you manage to make access-lists that covers most scenarios you still will not block netbios, ipx/spx and so on the only thing that gets blocked is IP.
If I where you I would take a look at private vlan instead.
Good luck
HTH
04-03-2011 12:58 PM
hobbe wrote:
Hi
I am not shure that setting up acl´s is the right way to "secure" the endstations.
Even if you manage to make access-lists that covers most scenarios you still will not block netbios, ipx/spx and so on the only thing that gets blocked is IP.
If I where you I would take a look at private vlan instead.
Good luck
HTH
Hmmm, but netbios is broadcast based so it won't go between vlans unless you run netbios over IP in which case the acl will work. IPX will only go between vlans if you enable IPX routing and the OP made no mention of IPX.
Jon
04-03-2011 02:36 PM
Would a vlan acl work?
ie:
vlan access-map VLAN-MAP 10
action drop
match ip address DENY-INTERNAL
vlan access-map VLAN-MAP 20
action forward
match ip address INTERNET
!
vlan filter VLAN-MAP vlan-list 10-30
!
ip access-list standard INTERNET
permit any
!
ip access-list extended DENY-INTERNAL
permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
04-03-2011 04:01 PM
Yes it could work but to restrict traffic between vlans it is more standard to simply use acls on the L3 vlan interfaces.
Jon
04-03-2011 02:43 PM
Jon you are absolutely correct.
For some reason I was thinking he wanted to use the same vlan just acl to block Ip addresses within that vlan.
My mistake.
Sorry!
You can disregard my posting above.
04-04-2011 03:54 AM
No problem and no need to apologise. You should see some of the posts i have done in the past after misreading the question
07-17-2011 05:50 PM
Here is my access-list
Extended IP access list 102
10 deny ip 172.16.0.0 0.0.0.255 172.0.0.0 0.255.255.255 (32 matches)
11 deny ip 172.16.0.0 0.0.0.255 192.0.0.0 0.255.255.255
12 deny ip 172.16.0.0 0.0.0.255 172.17.0.0 0.0.255.255
20 permit ip 172.16.0.0 0.0.0.255 any
I am unable to ping any of the 172.16.X.0 segments from 172.16.0.1 but I am able to ping 172.17.X.0, shouldn't the first line cover it as it is a /8?
I am also able to ping 192 segments and I am noticing that in both cases the acl counter is not incrementing
as you recommended I have the acl applied on the vlan interface incoming
07-17-2011 07:42 PM
I suggest summarization
access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 permit ip any any
interface **
ip access-group 100 out
Should be do-able with only one ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide