ACL restriction on switched network

Unanswered Question
Feb 20th, 2007

Hi gents,

Which type of ACL should i use to get some ip subnets in restricted L2(swithed) environments?

I cant use mac ACL, as i have a lot hosts.Can't use VLAN ACL either.There are

some restrictions.

thanks

Leo

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo_Stobbe Wed, 02/21/2007 - 01:19

I have SwitchA connected to SwitchB.

They connected to each other through switched port (access port)vlan 20.

There are a some servers in Vlan20 connected to SwitchB

SWitchB has the route to ISP.

SwitchA- Interface Vlan 20

ip address 10.20.0.1

default gateway - 10.20.0.254

SwitchB - Interface Vlan 20

IP address 10.20.0.254

default gateway - Internet Gateway

SwitchA has vlan16 - 10.16.0.0

Hosts from this subnet access the internet through SwithB and then SwithA.(and also can see servers in vlan 20)

SwitchB- doesn't have vlan 16

It has has onlu back route to that subnet.

How can i restrict 10.16.0.0 access to 10.20.0.0 servers?

Outbound ACL on interface Vlan20 SWitchB?

thanks?

Leo_Stobbe Wed, 02/21/2007 - 01:21

Sorry...Correction.

Hosts from this subnet access the internet through SwithA and then SwithB.(and also can see servers in vlan 20)

Outbound ACL on interface Vlan20 SwitchA?

Jon Marshall Wed, 02/21/2007 - 03:19

Hi Leo

Do you have an SVI on switch A or vlan 16 then ? I guess you must be. You could apply the following acl on vlan 16 on switch A

access-list filter deny ip 10.16.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list filter permit ip 10.16.0.0 255.255.0.0 any

On vlan 16 interface

ip access-group filter in

The destination network from the 10.16.x.x hosts will be always be allowed unless it is going to a 10.20.x.x address.

If there are some addresses in the 10.20.x.x range that you want access to from 10.16.x.x clients you could add those to the top of the access-list.

HTH

Jon

jain.nitin Wed, 02/21/2007 - 02:24

Hi, apply extended ACL on vlan 20 interface as inbound & define 10.16.0.0 as source & destination 10.20.0.0.

If it helps do rate it.

Ninja

Actions

This Discussion