Re: VLAN ACL's - Page 2

edw · ‎08-19-2009

Hi,

I have a intreasting question. I have a Catalyst 6006 with MSFC card. I run, say 4 VLANS.

I want to, say, block VLAN 3 from the rest but allow say a VLAN 3 machine to access HTTPS and DNS. What is the best way and most secure way of doing it ? I seem to have to make two groups in and out on my router before traffic will flow ?

ip access-list standard Events

permit 10.1.3.0 0.0.0.255

deny 10.0.0.0 0.255.255.255

permit any

interface vlan 3

ip access-group Events in

ip access-group Events out

Seems a odd way to get a ACL to work ? Having to get in and out duplication??

Another one is say to lock it down better

ip access-list standard Events-IN

permit udp host 10.1.3.6 gt 1024 any eq domain

permit tcp host 10.1.3.6 any eq 443

deny ip 10.1.3.0 0.0.0.255 any

permit ip any any

ip access-list standard Events-OUT

permit udp any eq domain host 10.1.3.6 gt 1024

permit tcp any eq 443 host 10.1.3.6

deny ip any 10.1.3.0 0.0.0.255

permit ip any any

interface vlan 3

ip access-group Events-IN in

ip access-group Events-OUT out

Why do I have to do it like this - isn't this pointless ?? If I only do Events-IN no traffic seems to go through ?

Am I misunderstanding things ?

Thanks for any help

Ed

johnspaulding · ‎09-07-2009

Well than your best (most secure way) is to use a VACL with vlan maps and permit traffic both ways like matt is saying. If you look at my first post you can see how to do this. Dont worry, Reading to much gets the best of all of us :). Never be afraid to ask questions.

edw · ‎12-08-2009

Hi,

Thanks for the reply - have tried this and it works.

I still don't fully understand why Cisco made such a intense command. I mean 98% of traffic is going to need two entries - one one way and the duplicat in verse the other. Therefore it would have made sense to say add a Return parameter and the command just add it in as part of the same line ??

Thanks

Ed