Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
0
Helpful
4
Replies

Simple ACL question

efriedman
Level 1
Level 1

‎11-09-2006 07:11 AM - edited ‎03-05-2019 12:43 PM

Hi there,

I want to implement some ACLS on my VLANS

These ACLS will either block all traffic from VLAn to VLAN or allow all traffic from VLAN TO VLAN

her is what I came up with and would appreciate if anyone could advise.

Vlan 1 IP 192.168.1.1

Vlan 2 IP 192.168.2.1

Vlan 3 IP 192.168.3.1

ACL Permit all traffic from vlan 1 to Vlan 2 (applied on VLAN 2)

access-list 1 Permit 192.168.1.0 0.0.0.255

access-group 1 out

ACL Deny all traffic from Vlan 2 to VLAN 3 (applied on VLAN 3)

Access-list 2 deny 192.168.2.0 0.0.0.255

access-group 2 out

Is it best to place all of the ACLS on the intervlan routing Core? or on every single switch?

thanks again!

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎11-09-2006 07:38 AM

Erick

The access lists as you have configured them - your access list 1 permits 192.168.1.0 but does not permit anything else. So VLAN 3 is denied from communicating with VLAN 2 already and you may not need access list 2. But access list 2 as you have configured it will explicitly deny 192.168.2.0 and then the implicit deny will deny everything else. So if you apply access list 2 as configured it will have the result of denying ALL traffic.

The question of where to place access lists can become complicated. When dealing with standard access lists it is generally best practice to place them as close to the destination as is possible, which would usually mean on every switch rather than just on the core. If you configure extended access lists it may be more practical to place them on the core.

HTH

Rick

HTH

Rick
0 Helpful

efriedman
Level 1
Level 1
In response to Richard Burts

‎11-09-2006 07:58 AM

thanks for the response, In actuality the access lists will have a series of denys and permits for each vlan to vlan. i wanted to make sure I had the syntax correct and as simple as possible

ACL 1 would look more like this

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 deny 192.168.4.0 0.0.0.255

then the implied deny, although it would deny the 3rd line if it werent in there.

In some instances I may have to do the implied permit statment at the end and could eliminate the permit statements in that ACl

I wanted to make sure the acls would block or permit all traffic from a vlan to a vlan with the above syntaxes. ie every ip address from 192.168.1.1 to 192.168.1.255 would be permited?

I would then assign the appropropriate ACL to its corresponding interface (VLAN)

SHould I do an access-group 1 in and out? to make sure all traffice between the vlans is blocked or permitted? or just the out?

Thanks

0 Helpful

efriedman
Level 1
Level 1
In response to efriedman

‎11-09-2006 08:18 AM

one more quick question,

If I apply access-list 1 only to vlan 2 via

access group 1 out

those statements are only true for vlan 2?

even though there are references to other vlans.

Im 99.9% sure thats the case

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to efriedman

‎11-09-2006 08:42 AM

Erick

If you apply the access list to VLAN 2 interface then the only traffic that it affects is traffic going through the VLAN 2 interface. It may have statements for addresses of various other VLANs but unless the traffic is passing through the VLAN 2 interface it will not be impacted by the access list.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents