cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
0
Helpful
4
Replies

VACLs Best way to control Vlan Access??????

BrianBethge
Level 1
Level 1

I have 10 vlans total. I need to deny access of the voice vlan 104 to the others (ie someone unplugs a phone and plugs in a laptop). I have create an ACL and applied it but I'm wondering if there are other options and are they better?

Thanks Brian

ACL

Extended IP access list 101

10 permit ip any any

Extended IP access list 104

10 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255

20 permit ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255

30 permit ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255

40 permit ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255

50 permit ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255

60 permit ip 192.168.104.0 0.0.0.223 192.168.106.0 0.0.0.255

70 permit ip 192.168.104.0 0.0.0.255 192.168.107.0 0.0.0.255

80 permit ip 192.168.104.0 0.0.0.255 192.168.108.0 0.0.0.255

90 permit ip 192.168.104.0 0.0.0.255 192.168.109.0 0.0.0.255

100 permit ip 192.168.104.32 0.0.0.223 192.168.200.0 0.0.0.255

110 permit ip host 192.168.104.31 192.168.200.0 0.0.0.255

120 permit ip host 192.168.104.30 192.168.200.0 0.0.0.255

130 permit ip host 192.168.104.29 192.168.200.0 0.0.0.255

140 permit ip host 192.168.104.28 192.168.200.0 0.0.0.255

150 permit ip host 192.168.104.27 192.168.200.0 0.0.0.255

160 permit ip host 192.168.104.26 192.168.200.0 0.0.0.255

170 permit ip host 192.168.104.25 192.168.200.0 0.0.0.255

180 permit ip host 192.168.104.24 192.168.200.0 0.0.0.255

190 permit ip host 192.168.104.23 192.168.200.0 0.0.0.255

200 permit ip host 192.168.104.20 192.168.200.0 0.0.0.255

210 permit ip host 192.168.104.19 192.168.200.0 0.0.0.255

220 permit ip host 192.168.104.18 192.168.200.0 0.0.0.255

230 permit ip host 192.168.104.17 192.168.200.0 0.0.0.255

240 permit ip host 192.168.104.16 192.168.200.0 0.0.0.255

250 permit ip host 192.168.104.15 192.168.200.0 0.0.0.255

260 permit ip host 192.168.104.14 192.168.200.0 0.0.0.255

270 permit ip host 192.168.104.13 192.168.200.0 0.0.0.255

280 permit ip host 192.168.104.12 192.168.200.0 0.0.0.255

290 permit ip host 192.168.104.11 192.168.200.0 0.0.0.255

300 permit ip host 192.168.104.10 192.168.200.0 0.0.0.255

310 permit ip host 192.168.104.9 192.168.200.0 0.0.0.255

320 permit ip host 192.168.104.8 192.168.200.0 0.0.0.255

330 permit ip host 192.168.104.7 192.168.200.0 0.0.0.255

340 permit ip host 192.168.104.6 192.168.200.0 0.0.0.255

350 permit ip host 192.168.104.4 192.168.200.0 0.0.0.255

360 permit ip host 192.168.104.3 192.168.200.0 0.0.0.255

vlan access-map VOIP_Security 10

action drop

match ip address 104

vlan access-map VOIP_Security 20

action forward

match ip address 101

!

vlan filter VOIP_Security vlan-list 104

thanks again

1 Accepted Solution

Accepted Solutions

John Blakley
VIP Alumni
VIP Alumni

VACLs are good when you want to restrict traffic within a vlan, and normal ACLs are good to restrict between different vlans.

You can also do what you want by just applying your acl to the vlans SVI that the phones are on. Only problem would be that you would need to change all of your permit statements to deny in your case because currently you're matching on those acls to drop traffic in your vacl.

If you decide to do this, you would apply your acl in the IN direction on the 104 svi.

int vlan104

ip access-group 104 in

--John

HTH, John *** Please rate all useful posts ***

View solution in original post

4 Replies 4

Hello,

maybe port-securty the stiky option will store the first learned mac and then some options like you want snmp trap, port block.

But I'm not sure if this is not too much config overhead for you..

http://cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swtrafc.html#wp1042596

I would do this whith port security, because if the laptop will get an Voip VLAN IP he can work too...with this big ACL you get maybe trouble in other cases...

Sebastian

John Blakley
VIP Alumni
VIP Alumni

VACLs are good when you want to restrict traffic within a vlan, and normal ACLs are good to restrict between different vlans.

You can also do what you want by just applying your acl to the vlans SVI that the phones are on. Only problem would be that you would need to change all of your permit statements to deny in your case because currently you're matching on those acls to drop traffic in your vacl.

If you decide to do this, you would apply your acl in the IN direction on the 104 svi.

int vlan104

ip access-group 104 in

--John

HTH, John *** Please rate all useful posts ***

John;

Thanks for the input. After testing I found that the standeard ACLs were more effient than the VACLs. I going to continue using them to secure the rest of the network. I went with the VACLs since that's what my vendor used when installing the router. Do not know why they chose that? Thanks again

I really couldn't tell you unless they only have a generic setup that supports a single vlan. In that case, you'd have a need for vacls.

HTH,

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco