10-20-2014 11:18 AM - edited 03-07-2019 09:11 PM
Hello
i need two thing
i get the first point but i can´t see computers between vlans 13 and 14
this is my configuration:
<!--break-->
!
interface Vlan11
ip address 30.20.12.1 255.255.255.0
!
interface Vlan12
description *** vlan whit internet access ***
ip address 30.20.20.1 255.255.255.0
!
interface Vlan13
description *** Switch vlan ****
ip address 192.168.31.1 255.255.255.0
ip access-group 100 in
!
interface Vlan14
description *** network admin ***
ip address 30.30.30.1 255.255.255.0
ip access-group 101 in
!
!
access-list 100 permit ip 30.30.30.0 0.0.0.255 192.168.31.0 0.0.0.255
access-list 101 permit ip 192.168.31.0 0.0.0.255 30.30.30.0 0.0.0.255
!
i know other forms but i want avoid make access list that need modifications when a add a new interface vlan, and filter only incoming traffic to vlan 13 and 14 not filter outgoing traficc for each vlan, i need "best practic" for this scenarios
best regards!!!
Solved! Go to Solution.
10-20-2014 12:00 PM
Using router ACL on SVI is little tricky.
in your case just change "in" to "out" for both of your interfaces. your problem will be solved.
!
interface Vlan13
description *** Switch vlan ****
ip address 192.168.31.1 255.255.255.0
ip access-group 100 OUT
!
interface Vlan14
description *** network admin ***
ip address 30.30.30.1 255.255.255.0
ip access-group 101 OUT
!
Anyway using Vlan ACL is more efficient way.
Rgrds
10-20-2014 11:40 AM
I think your best bet is to deny the traffic before its proccesed by the router, so you save cpu resources by denying in the inside of the vlans 11 and 12:
interface Vlan11
ip address 30.20.12.1 255.255.255.0
ip access-group 100 in
interface Vlan12
ip address 30.20.20.1 255.255.255.0
ip access-group 101 in
interface Vlan13
ip address 192.168.31.1 255.255.255.0
interface Vlan14
ip address 30.30.30.1 255.255.255.0
access-list 100 deny ip 30.20.12.1 255.255.255.0 192.168.31.0 255.255.255.0
access-list 100 deny ip 30.20.12.1 255.255.255.0 30.30.30.0 255.255.255.0
access-list 100 permit ip any any
access-list 101 deny ip 30.20.20.1 255.255.255.0 192.168.31.0 255.255.255.0
access-list 101 deny ip 30.20.20.1 255.255.255.0 30.30.30.0 255.255.255.0
access-list 101 permit ip any any
10-20-2014 12:00 PM
Using router ACL on SVI is little tricky.
in your case just change "in" to "out" for both of your interfaces. your problem will be solved.
!
interface Vlan13
description *** Switch vlan ****
ip address 192.168.31.1 255.255.255.0
ip access-group 100 OUT
!
interface Vlan14
description *** network admin ***
ip address 30.30.30.1 255.255.255.0
ip access-group 101 OUT
!
Anyway using Vlan ACL is more efficient way.
Rgrds
10-20-2014 08:04 PM
Thanks Houtan H Larijani i solved the issue, as you say "just change in by out" now i going to try to understand why inbound traffic is out ACL and vice versa.
one more question:
Is it this solutions lest cpu cost efective?
regards
10-20-2014 09:57 PM
CPU usage is directly related to your ACL size and where it's going to be processed.
Most ACL features are processed in hardware, but Some features are processed in software, based on your supervisor model you have to check if any of these are true.
Anyway, this usually negligible for a switch with low utlization
Rgrds
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: