cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
327
Views
0
Helpful
1
Replies
Highlighted
Beginner

VLAN Filtering

I've done a few route maps before and the logic is pretty much the same.  I just can't figure this one out.

It's probably not the best solution, but it is what I have to work with.  I would like to configure a guest vlan on our network and only allow access for DHCP, DNS, and Web.  I'm attempting to use a VLAN filter along with a L3 ACL on the L3 VLAN.  My L3 ACL seems to work fine.  I've been able to block access to the other internal subnets.  I would like users of this subnet to be able to ping the gateway and to traceroute to the Internet.  I'm not sure why I care, but I would also like to block all communication from user to user within the same guest vlan.  I've created the following ACL and VLAN access-map, but I'm still able to ping hosts on the same guest network and am also able to open a share on another host. 

I'm intentionally not matching the deny statements since the action is to drop.  Then, I want to drop the permit statements.  With this configuration, I can pull DHCP, DNS, and surf the web.  I have tested this functionality by adjusting those rules back to permit.  When I do that it breaks DHCP, DNS, and web.  The only piece that is not working is to block communication between hosts on the same guest vlan.  Any ideas?         

vlan access-map map982 10

action drop

match ip address acl982

vlan access-map map982 20

action forward

match ip address aclMatchAll

     

vlan filter map982 vlan-list 982

ip access-list extended acl982

deny   icmp any host 10.98.207.1 unreachable

deny   icmp any host 10.98.207.1 time-exceeded

deny   icmp any host 10.98.207.1 echo-reply

deny   icmp any host 10.98.207.1 echo

deny   icmp host 10.98.207.1 any echo

deny   icmp host 10.98.207.1 any echo-reply

deny   icmp host 10.98.207.1 any time-exceeded

deny   icmp host 10.98.207.1 any unreachable

deny   udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

deny   udp host 10.98.207.1 eq bootps any eq bootpc

deny   udp 10.98.207.0 0.0.0.255 host 10.0.0.1 eq domain

permit ip 10.98.207.0 0.0.0.255 10.98.207.0 0.0.0.255

permit ip 10.98.207.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 10.98.207.0 0.0.0.255 172.16.0.0 0.15.255.255

permit ip 10.98.207.0 0.0.0.255 192.168.0.0 0.0.255.255

Thanks all.

Everyone's tags (2)
1 REPLY 1
Highlighted
Beginner

VLAN Filtering

Hi I'm a little rusty on ACLs but my understanding was that you normally need an implicit deny ip any at the bottom of the ACL. sorry if this suggestion is a silly one

Hope this helps!

Barry

CreatePlease to create content
Content for Community-Ad