07-26-2017 05:58 AM - edited 03-08-2019 11:29 AM
I want to apply an ACL to a couple of VLANs in my network of Catalyst 3750 switches (operating in layer 3 / IP routing mode). One point on which I am not clear is whether I need to create and apply the ACL on each switch, or whether I can create it on the VLAN server switch and expect it to propagate across the switch network.
07-26-2017 06:07 AM
ACLs do not propagate. ACLs are local to that switch/vlan. When you apply an ACL to a vlan, it basically block or allow communication to and from that vlan.
HTH
07-26-2017 06:16 AM
Thanks! I'll break out the cut-and-paste.
07-26-2017 06:55 AM
Depending on what your ACLs do, generally you only need to insure traffic is subjected to them just once.
07-26-2017 07:34 AM
The VLANs in question are for restricted Wi-Fi connections. The intent is to block traffic from IPs on those VLANs going to any internal (or VPN connected) resources other than the DHCP server and our edge ASA for egress.
My intent is to put a couple of IP "permits" to the intended DHCP and ASA IPs, a "deny" to the rest of the internal and VPN IPs, and then a permit all. ACL to be applied to the "out" path from the VLAN I want to isolate.
Because the wireless APs involved may be connected to any switch in the network, I'm assuming that I would need the same logic on all the switches. I'm looking at whether the Wi-Fi infrastructure can handle this natively, but want to make sure I have a fallback.
Does that sound as if I'm off track?
07-26-2017 08:27 AM
"off track", maybe not, but you can sometimes make trade-offs in where ACL are installed for "network" efficiency vs. "management" efficiency.
I.e. you can sometimes trade off where you place an ACL to minimize the number of places you need to use it vs. having it placed to drop packets ASAP.
For example, say you have multiple VLANs that can source a particular class of traffic you wish to block, but all that VLAN traffic will egress on one interface. You could have an ingress ACL on each VLAN or you could have an egress ACL on the egress interface. The former is more "network" efficient in that it blocks the traffic ASAP but the latter means you only need to maintain one interface ACL application.
07-26-2017 09:06 AM
I think I grasp what you are saying. Let me run out a slightly detailed "what if" and see if I'm getting it right...
Say I have VLAN 1, 10 and 20, with IP ranges of 10.0.1.x, 10.4.1.x and 10.4.7.x respectively. These are configured on two switches, A & B.
Hosts in any of the 3 VLANs may be attached to EITHER switch. I want VLAN 20 to talk to an ASA and a DHCP server that happen to be on Switch A, but no other hosts on my network.
In that case, I would need the block from 10.4.7.x to 10.x.x.x on both switches, would I not? Otherwise, if the ACL were only on switch A, a host on VLAN 20 on switch B would be able to talk to a host on VLAN 10 on that same switch.
07-26-2017 09:20 AM
Ok, you could have an ACL on VLAN 20 gateway(s) controlling ingress and/or egress, conversely you might have an ACL on other VLANs controlling VLAN 20 for ingress and/or egress, or you might have have an ACL on all VLANs controlling VLAN 20 for ingress and/or egress. Or, you might have VLAN 20 setup as a private VLAN allowing access to the ports for the ASA and DHCP server.
07-26-2017 10:19 AM
In that case, I would need the block from 10.4.7.x to 10.x.x.x on both switches, would I not?
No, when a host in vlan 20 needs to communicate with a host in vlan 10, the traffic will need to go from that host to its default gateway (vlan 20 SVI) and than to vlan 10 SVI and host in vlan 10. So, you only need to apply the ACL say to vlan 20 interface (SVI) to allow or block traffic from or to it.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide