03-19-2012 05:39 AM - edited 03-07-2019 05:38 AM
Ok So ive got multiple VLANS on a L3 switch and I basically want to use a VLAN Access List in order to block communication between each of the VLANS, except one which will provide internet connectivity (there may be a better way to do it?).
Basically this is waht I have:
ip access-list extended PermitGateway
##permit ip 10.8.4.0 0.0.0.7 host 10.8.4.1
permit ip 10.8.4.0 0.0.0.7 host (IP of router in different VLAN)
vlan access-map Internet 10
match ip address PermitGateway
action forward
I then assign this to the VLAN with the network 10.8.40/29.
The line that I have hashed out In realised that that meant it could send the traffic to any VLAN as that is saying allow traffic through the default gateway of the VLAN?
In writing this my thought is that Ive got to write a list of subnet destinations to deny? (which is quite a lot) rather than just permitting traffic to the one IP? as to get there it must have already left the VLAN via the default gateway?
Im a bit rust so I appreciate the advice
03-19-2012 08:56 AM
Hey James,
VACL's are primarily used when you are trying to permit/deny traffic inside of a VLAN (Deny host 1 in VLAN 10 to host 2 in VLAN 10). For your purposes, It would seem a standard ACL applied to the Layer 3 interfaces would work just fine to block communications between the VLANs.
You do not need to allow traffic to the default gateway because the destination IP address in these packets is not the default gateway address, it is that of the end-device.
Think about the packet headers, this is what the ACL is making a match based on (source address and destination address) and not the intermediate devices - you allowing the packet to reach the gateway IP address means the host can directly reach the default gateway, it doesn't mean that they can reach any host that the gateway can route to.
03-19-2012 09:13 AM
Thanks for your reply Kyle! Yes I realised I was having some kind of mental breakdown of some of the basics there
Anyway after discovering that I could accomplish this with ACLs I had a go at setting up a basic ACL on one of the SVI's to test and for some reason I could still ping a host I blocked?!?!
The access List
access-list 101 deny ip 10.8.4.8 0.0.0.7 any
access-list 101 permit ip any any
interface Vlan 102
ip address 10.8.4.9 255.255.255.248
interface Vlan 101
ip address 10.8.4.1 255.255.255.248
ip access-group 101 in
Ok so that says to me any traffic comming form 102 should be blocked?
I configured a client on Vlan 101 and I was able to ping 10.8.4.9 which should not have been the case?
03-19-2012 09:24 AM
The access List
access-list 101 deny ip 10.8.4.8 0.0.0.7 any
access-list 101 permit ip any any
Should be:
The access List
access-list 101 deny ip 10.8.4.0 0.0.0.7 any
access-list 101 permit ip any any
03-19-2012 01:13 PM
Ok FINALLY got this sorted I dont know why I was having so many issues, I think id left some conflicting ACLS in there from previous attempts or something.
anyway my final rule as follows
access-list 101 deny ip any 10.8.0.0 0.0.255.255 #Ive got a lot of subnets to block
access-list 101 permit ip any any
Then on the interfaces
ip access-group 101 in
I think I had messed up my knowledge of the in / out when specifiying on the interface! as am i right in thinkign that "in" means traffic comming in to the interface not "out"? That would seem to be the case else my rule would block internet acess
03-19-2012 02:39 PM
Hi James,
Glad you were able to get your problem solved. Just remember that the first network address or IP of your ACL is the source address/network and the second is the destination - I believe that is what you were mixing up with your first ACL.
In does generally mean, IN and out does generally mean, OUT - However SVIs can often confuse the best of us.
Kyle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide