Solved: ACLs to protect VLAN

townofnewmarket · ‎08-01-2009

Most of my users are on VLAN12. They are your basic user (clueless and dangerous, lol). I have a sensitive network on VLAN11 and only 2 people on 12 need access to 11. I'd like to block everyone else.

Can someone give me an idea of the ACL I would have to write to do this? These are 3560s and 3560Gs. No router in the net.

Thank you!

Edison Ortiz · ‎08-01-2009

My 2nd ACL will block traffic just for Vlan12 while allowing the 2 host from Vlan12 as well as the remaining subnets incoming traffic to Vlan11.

The order in the ACL matters, so make sure you have the 2 hosts from Vlan12 listed first, then have a deny for Vlan12 to the entire subnet and last ACL entry will have a permit any.

HTH,

__

Edison.

View solution in original post

Edison Ortiz · ‎08-01-2009

ip access-list standard VLAN12

permit [ip address of the host]

interface vlan 11

ip access-group VLAN12 in

Does Vlan11 need to reach other devices - i.e - internet?

If so, the ACL must be like:

ip access-list standard VLAN12

permit [ip address of the host]

deny [vlan 12 subnet]

permit any

HTH,

__

Edison.

townofnewmarket · ‎08-01-2009

Yes VLAN 11 needs access to the Net as well as a VLAN 15. Both VLANs need access to my two VOIP VLANS.

Do I need to allocate for those as well?

Edison Ortiz · ‎08-01-2009

My 2nd ACL will block traffic just for Vlan12 while allowing the 2 host from Vlan12 as well as the remaining subnets incoming traffic to Vlan11.

The order in the ACL matters, so make sure you have the 2 hosts from Vlan12 listed first, then have a deny for Vlan12 to the entire subnet and last ACL entry will have a permit any.

HTH,

__

Edison.