ACL on Multiple 3550 vlans

Unanswered Question
May 17th, 2008

Hello,

I am trying to block subnets configured on the same L3_3550 vlan from seeing each other and from being accessed from other part of our network.

I have the following as the 'IN' access-group on the vlan 3

access-list 124 remark Allowed Management Ranges

access-list 124 permit ip x.x.x.x 0.0.0.7 any

access-list 124 permit ip x.x.x.x 0.0.0.7 any

access-list 124 permit ip x.x.x.x 0.0.0.3 any

access-list 124 permit ip host x.x.x.x any

access-list 124 remark Allowed Office Ranges

access-list 124 permit ip x.x.x.x 0.0.0.31 any

access-list 124 permit ip x.x.x.x 0.0.0.31 any

access-list 124 remark Deny Services

access-list 124 deny ip any 192.168.6.0 0.0.0.255

access-list 124 deny ip any 192.168.9.0 0.0.0.255

access-list 124 deny ip any 192.168.10.0 0.0.0.255

access-list 124 deny ip any 192.168.11.0 0.0.0.255

access-list 124 deny ip any 192.168.19.0 0.0.0.255

access-list 124 deny ip any 192.168.20.0 0.0.0.255

access-list 124 deny ip any 192.168.250.0 0.0.0.255

access-list 124 remark Allow Everything Else

access-list 124 permit ip any any

access-list 124 permit icmp any any

access-list 124 remark Deny Everything Else

access-list 124 deny ip any any

When I apply this to the vlan3 on the 3550, I am able to stop all the private subnets from seeing each other. However, users can still telnet to the each vlan IP address i.e. 192.168.6.1, etc. And also other portions of our network can still access all the "denied" subnets on this switch.

Also, if I deny telnet access "deny tcp any 192.168.6.0 0.0.0.255 eq 23" telnet still works.

Do I need to apply this on the connected vlan intefaces and not the vlan itself.

This is driving me crazy. lol.

Any help would be appriciated.

Thanks,

j

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sat, 05/17/2008 - 11:27

J

What subnet is on vlan 3 ??.

Just for clarity. When you apply an access-list in the Inbound direction on a vlan interface that is for traffic coming FROM devices on that vlan.

Outbound on a vlan interface is traffic going TO devices on that vlan.

Could you give an example with IP addresses of what does and doesn't work.

Jon

Jesse Hottle Sat, 05/17/2008 - 11:36

Hello,

Everything in the above range on the ACL is in vlan 3.

What I am trying to do is prevent people on the 192.168.6.0 subnet from reaching devices on the 192.168.20.0 subnet, etc..

I also need to prevent other outside (not on this 3550) subnets from reaching any of the subnets in the acl, as well as blocking telnet. I have tried applying the acl either as in or out and it sometimes works and other times does.

If I apply this as 'in' it blocks the subnets from seeing each other which is what I need, but outside this 3550 other subnets can access it all.

Does that help?

kshortdynasty Sat, 05/17/2008 - 17:35

J,

Sounds like you have one vlan interface with secondary ip addresses.

If this is the case, create an access-list that deny's the networ(include the networks from other routers and switches you want to block).

The last staement in the access list should permit any to any.

Apply that on the vlan interface outbound and you'll be good to go.

Actions

This Discussion