11-18-2008 07:45 AM - edited 03-06-2019 02:32 AM
I have 10 vlans total. I need to deny access of the voice vlan 104 to the others (ie someone unplugs a phone and plugs in a laptop). I have create an ACL and applied it but I'm wondering if there are other options and are they better?
Thanks Brian
ACL
Extended IP access list 101
10 permit ip any any
Extended IP access list 104
10 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255
20 permit ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
30 permit ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255
40 permit ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
50 permit ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
60 permit ip 192.168.104.0 0.0.0.223 192.168.106.0 0.0.0.255
70 permit ip 192.168.104.0 0.0.0.255 192.168.107.0 0.0.0.255
80 permit ip 192.168.104.0 0.0.0.255 192.168.108.0 0.0.0.255
90 permit ip 192.168.104.0 0.0.0.255 192.168.109.0 0.0.0.255
100 permit ip 192.168.104.32 0.0.0.223 192.168.200.0 0.0.0.255
110 permit ip host 192.168.104.31 192.168.200.0 0.0.0.255
120 permit ip host 192.168.104.30 192.168.200.0 0.0.0.255
130 permit ip host 192.168.104.29 192.168.200.0 0.0.0.255
140 permit ip host 192.168.104.28 192.168.200.0 0.0.0.255
150 permit ip host 192.168.104.27 192.168.200.0 0.0.0.255
160 permit ip host 192.168.104.26 192.168.200.0 0.0.0.255
170 permit ip host 192.168.104.25 192.168.200.0 0.0.0.255
180 permit ip host 192.168.104.24 192.168.200.0 0.0.0.255
190 permit ip host 192.168.104.23 192.168.200.0 0.0.0.255
200 permit ip host 192.168.104.20 192.168.200.0 0.0.0.255
210 permit ip host 192.168.104.19 192.168.200.0 0.0.0.255
220 permit ip host 192.168.104.18 192.168.200.0 0.0.0.255
230 permit ip host 192.168.104.17 192.168.200.0 0.0.0.255
240 permit ip host 192.168.104.16 192.168.200.0 0.0.0.255
250 permit ip host 192.168.104.15 192.168.200.0 0.0.0.255
260 permit ip host 192.168.104.14 192.168.200.0 0.0.0.255
270 permit ip host 192.168.104.13 192.168.200.0 0.0.0.255
280 permit ip host 192.168.104.12 192.168.200.0 0.0.0.255
290 permit ip host 192.168.104.11 192.168.200.0 0.0.0.255
300 permit ip host 192.168.104.10 192.168.200.0 0.0.0.255
310 permit ip host 192.168.104.9 192.168.200.0 0.0.0.255
320 permit ip host 192.168.104.8 192.168.200.0 0.0.0.255
330 permit ip host 192.168.104.7 192.168.200.0 0.0.0.255
340 permit ip host 192.168.104.6 192.168.200.0 0.0.0.255
350 permit ip host 192.168.104.4 192.168.200.0 0.0.0.255
360 permit ip host 192.168.104.3 192.168.200.0 0.0.0.255
vlan access-map VOIP_Security 10
action drop
match ip address 104
vlan access-map VOIP_Security 20
action forward
match ip address 101
!
vlan filter VOIP_Security vlan-list 104
thanks again
Solved! Go to Solution.
11-18-2008 12:09 PM
VACLs are good when you want to restrict traffic within a vlan, and normal ACLs are good to restrict between different vlans.
You can also do what you want by just applying your acl to the vlans SVI that the phones are on. Only problem would be that you would need to change all of your permit statements to deny in your case because currently you're matching on those acls to drop traffic in your vacl.
If you decide to do this, you would apply your acl in the IN direction on the 104 svi.
int vlan104
ip access-group 104 in
--John
11-18-2008 12:01 PM
Hello,
maybe port-securty the stiky option will store the first learned mac and then some options like you want snmp trap, port block.
But I'm not sure if this is not too much config overhead for you..
I would do this whith port security, because if the laptop will get an Voip VLAN IP he can work too...with this big ACL you get maybe trouble in other cases...
Sebastian
11-18-2008 12:09 PM
VACLs are good when you want to restrict traffic within a vlan, and normal ACLs are good to restrict between different vlans.
You can also do what you want by just applying your acl to the vlans SVI that the phones are on. Only problem would be that you would need to change all of your permit statements to deny in your case because currently you're matching on those acls to drop traffic in your vacl.
If you decide to do this, you would apply your acl in the IN direction on the 104 svi.
int vlan104
ip access-group 104 in
--John
11-18-2008 02:03 PM
John;
Thanks for the input. After testing I found that the standeard ACLs were more effient than the VACLs. I going to continue using them to secure the rest of the network. I went with the VACLs since that's what my vendor used when installing the router. Do not know why they chose that? Thanks again
11-18-2008 02:06 PM
I really couldn't tell you unless they only have a generic setup that supports a single vlan. In that case, you'd have a need for vacls.
HTH,
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: