cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
927
Views
5
Helpful
5
Replies

New To VACL's need a hand

jamessmart747
Level 1
Level 1

Ok So ive got multiple VLANS on a L3 switch and I basically want to use a VLAN Access List in order to block communication between each of the VLANS, except one which will provide internet connectivity (there may be a better way to do it?).

Basically this is waht I have:

ip access-list extended PermitGateway

##permit ip 10.8.4.0 0.0.0.7 host 10.8.4.1

permit ip 10.8.4.0 0.0.0.7 host (IP of router in different VLAN)

vlan access-map Internet 10

match ip address PermitGateway

action forward

I then assign this to the VLAN with the network 10.8.40/29.

The line that I have hashed out In realised that that meant it could send the traffic to any VLAN as that is saying allow traffic through the default gateway of the VLAN?

In writing this my thought is that Ive got to write a list of subnet destinations to deny? (which is quite a lot) rather than just permitting traffic to the one IP? as to get there it must have already left the VLAN via the default gateway?

Im a bit rust so I appreciate the advice

5 Replies 5

Kyle McKay
Level 1
Level 1

Hey James,

VACL's are primarily used when you are trying to permit/deny traffic inside of a VLAN (Deny host 1 in VLAN 10 to host 2 in VLAN 10). For your purposes, It would seem a standard ACL applied to the Layer 3 interfaces would work just fine to block communications between the VLANs.

You do not need to allow traffic to the default gateway because the destination IP address in these packets is not the default gateway address, it is that of the end-device.

Think about the packet headers, this is what the ACL is making a match based on (source address and destination address) and not the intermediate devices - you allowing the packet to reach the gateway IP address means the host can directly reach the default gateway, it doesn't mean that they can reach any host that the gateway can route to.

Thanks for your reply Kyle! Yes I realised I was having some kind of mental breakdown of some of the basics there

Anyway after discovering that I could accomplish this with ACLs I had a go at setting up a basic ACL on one of the SVI's to test and for some reason I could still ping a host I blocked?!?!

The access List

access-list 101 deny   ip 10.8.4.8 0.0.0.7 any

access-list 101 permit ip any any

interface Vlan 102

ip address 10.8.4.9 255.255.255.248

interface Vlan 101

ip address 10.8.4.1 255.255.255.248

ip access-group 101 in

Ok so that says to me any traffic comming form 102 should be blocked?

I configured a client on Vlan 101 and I was able to ping 10.8.4.9 which should not have been the case?

The access List

access-list 101 deny   ip 10.8.4.8 0.0.0.7 any

access-list 101 permit ip any any

Should be:

The access List

access-list 101 deny   ip 10.8.4.0 0.0.0.7 any

access-list 101 permit ip any any

jamessmart747
Level 1
Level 1

Ok FINALLY got this sorted I dont know why I was having so many issues, I think id left some conflicting ACLS in there from previous attempts or something.

anyway my final rule as follows

access-list 101 deny ip any 10.8.0.0 0.0.255.255 #Ive got a lot of subnets to block

access-list 101 permit ip any any

Then on the interfaces

ip access-group 101 in

I think I had messed up my knowledge of the in / out when specifiying on the interface! as am i right in thinkign that "in" means traffic comming in to the interface not "out"? That would seem to be the case else my rule would block internet acess

Hi James,

Glad you were able to get your problem solved. Just remember that the first network address or IP of your ACL is the source address/network and the second is the destination - I believe that is what you were mixing up with your first ACL.

In does generally mean, IN and out does generally mean, OUT - However SVIs can often confuse the best of us.

Kyle

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco