ACL to control traffic

Unanswered Question
Nov 4th, 2008
User Badges:

I have several remote offices and all offices use the same VLAN's 1,2,3,4,5,6,etc... I was able to create an access-list which will only allow VLAN 1 in one remote office to communicate with VLAN 1 in the other remote offices. The problem I have is when traffic tries to route to the Internet. Normally I would just add an ANY statement for this. But if I do that then all the traffic will be permitted. The other way would be to individually deny traffic to the VLAN's. But this would require a lot of statements and might be difficult to manage. I think there is an easier way to do this. Does anyone have any suggestions. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Tue, 11/04/2008 - 07:21
User Badges:
  • Purple, 4500 points or more

If I understand your question correctly, you need to block your traffic at the closest point possible by adding acl's to each of your branches. If they are contiguous blocks (vlan1,2, and 3 - ip 192.168.1.0, 2.0, 3.0 respectively, you may want to look into creating an ACL that summarizes the networks that you want to block. Put that at the top of your list, and then permit your local traffic out to everything else.


--John

John Blakley Tue, 11/04/2008 - 07:22
User Badges:
  • Purple, 4500 points or more

Oh, and if they can't be easily summarized, you will be limited to creating an entry for each subnet you want to block.


--John

Actions

This Discussion