VACLs Best way to control Vlan Access??????

Answered Question
Nov 18th, 2008
User Badges:

I have 10 vlans total. I need to deny access of the voice vlan 104 to the others (ie someone unplugs a phone and plugs in a laptop). I have create an ACL and applied it but I'm wondering if there are other options and are they better?


Thanks Brian


ACL

Extended IP access list 101

10 permit ip any any

Extended IP access list 104

10 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255

20 permit ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255

30 permit ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255

40 permit ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255

50 permit ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255

60 permit ip 192.168.104.0 0.0.0.223 192.168.106.0 0.0.0.255

70 permit ip 192.168.104.0 0.0.0.255 192.168.107.0 0.0.0.255

80 permit ip 192.168.104.0 0.0.0.255 192.168.108.0 0.0.0.255

90 permit ip 192.168.104.0 0.0.0.255 192.168.109.0 0.0.0.255

100 permit ip 192.168.104.32 0.0.0.223 192.168.200.0 0.0.0.255

110 permit ip host 192.168.104.31 192.168.200.0 0.0.0.255

120 permit ip host 192.168.104.30 192.168.200.0 0.0.0.255

130 permit ip host 192.168.104.29 192.168.200.0 0.0.0.255

140 permit ip host 192.168.104.28 192.168.200.0 0.0.0.255

150 permit ip host 192.168.104.27 192.168.200.0 0.0.0.255

160 permit ip host 192.168.104.26 192.168.200.0 0.0.0.255

170 permit ip host 192.168.104.25 192.168.200.0 0.0.0.255

180 permit ip host 192.168.104.24 192.168.200.0 0.0.0.255

190 permit ip host 192.168.104.23 192.168.200.0 0.0.0.255

200 permit ip host 192.168.104.20 192.168.200.0 0.0.0.255

210 permit ip host 192.168.104.19 192.168.200.0 0.0.0.255

220 permit ip host 192.168.104.18 192.168.200.0 0.0.0.255

230 permit ip host 192.168.104.17 192.168.200.0 0.0.0.255

240 permit ip host 192.168.104.16 192.168.200.0 0.0.0.255

250 permit ip host 192.168.104.15 192.168.200.0 0.0.0.255

260 permit ip host 192.168.104.14 192.168.200.0 0.0.0.255

270 permit ip host 192.168.104.13 192.168.200.0 0.0.0.255

280 permit ip host 192.168.104.12 192.168.200.0 0.0.0.255

290 permit ip host 192.168.104.11 192.168.200.0 0.0.0.255

300 permit ip host 192.168.104.10 192.168.200.0 0.0.0.255

310 permit ip host 192.168.104.9 192.168.200.0 0.0.0.255

320 permit ip host 192.168.104.8 192.168.200.0 0.0.0.255

330 permit ip host 192.168.104.7 192.168.200.0 0.0.0.255

340 permit ip host 192.168.104.6 192.168.200.0 0.0.0.255

350 permit ip host 192.168.104.4 192.168.200.0 0.0.0.255

360 permit ip host 192.168.104.3 192.168.200.0 0.0.0.255


vlan access-map VOIP_Security 10

action drop

match ip address 104

vlan access-map VOIP_Security 20

action forward

match ip address 101


!

vlan filter VOIP_Security vlan-list 104


thanks again

Correct Answer by John Blakley about 8 years 6 months ago

VACLs are good when you want to restrict traffic within a vlan, and normal ACLs are good to restrict between different vlans.


You can also do what you want by just applying your acl to the vlans SVI that the phones are on. Only problem would be that you would need to change all of your permit statements to deny in your case because currently you're matching on those acls to drop traffic in your vacl.


If you decide to do this, you would apply your acl in the IN direction on the 104 svi.


int vlan104

ip access-group 104 in



--John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Sebastian Helmer Tue, 11/18/2008 - 12:01
User Badges:
  • Silver, 250 points or more

Hello,


maybe port-securty the stiky option will store the first learned mac and then some options like you want snmp trap, port block.

But I'm not sure if this is not too much config overhead for you..


http://cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swtrafc.html#wp1042596



I would do this whith port security, because if the laptop will get an Voip VLAN IP he can work too...with this big ACL you get maybe trouble in other cases...


Sebastian


Correct Answer
John Blakley Tue, 11/18/2008 - 12:09
User Badges:
  • Purple, 4500 points or more

VACLs are good when you want to restrict traffic within a vlan, and normal ACLs are good to restrict between different vlans.


You can also do what you want by just applying your acl to the vlans SVI that the phones are on. Only problem would be that you would need to change all of your permit statements to deny in your case because currently you're matching on those acls to drop traffic in your vacl.


If you decide to do this, you would apply your acl in the IN direction on the 104 svi.


int vlan104

ip access-group 104 in



--John

BrianBethge Tue, 11/18/2008 - 14:03
User Badges:

John;

Thanks for the input. After testing I found that the standeard ACLs were more effient than the VACLs. I going to continue using them to secure the rest of the network. I went with the VACLs since that's what my vendor used when installing the router. Do not know why they chose that? Thanks again

John Blakley Tue, 11/18/2008 - 14:06
User Badges:
  • Purple, 4500 points or more

I really couldn't tell you unless they only have a generic setup that supports a single vlan. In that case, you'd have a need for vacls.


HTH,


John

Actions

This Discussion