Simple VACL Config

Answered Question
Jan 27th, 2010
User Badges:

All,

I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.

Correct Answer by Jon Marshall about 7 years 6 months ago

mrashby wrote:


All,

I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.


If they are in a separate vlan then the easiest things to do is use a standard acl on L3 vlan interface. So you need to deny traffic from this vlan to any other internal vlans then allow traffic to everything else because the Internet addresses could be anything so


cofference room vlan 5 = 192.168.5.0/24

internal vlans = vlan 10 -> 192.168.1.0/24

                        vlan 11 -> 192.168.2.0/24


access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list deny ip any any


int vlan 5

ip access-group 1101 in


Couple of things to note


1) if internet access is done via a proxy then your acl is a lot simpler ie.


   access-list 101 permit ip 192.168.5.0 0.0.0.255 host

   access-list 101 deny ip any any


2)  i have used ip in the acls but you should tie it down to relevant TCP ports ie. 80, 443 and any others


3) i have put an explicit deny ip any any at end of acl but there is an implict one there anyway so the last line is not actually needed if you don't want it.


4) If you aren't using a proxy server and they go direct to internet addresses you will need to allow the 192.168.5.x clients to resolve DNS names which may mean them being able to query the same DNS servers as the rest of your internal clients. Depends how you have setup DNS.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 01/27/2010 - 09:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mrashby wrote:


All,

I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.


If they are in a separate vlan then the easiest things to do is use a standard acl on L3 vlan interface. So you need to deny traffic from this vlan to any other internal vlans then allow traffic to everything else because the Internet addresses could be anything so


cofference room vlan 5 = 192.168.5.0/24

internal vlans = vlan 10 -> 192.168.1.0/24

                        vlan 11 -> 192.168.2.0/24


access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list deny ip any any


int vlan 5

ip access-group 1101 in


Couple of things to note


1) if internet access is done via a proxy then your acl is a lot simpler ie.


   access-list 101 permit ip 192.168.5.0 0.0.0.255 host

   access-list 101 deny ip any any


2)  i have used ip in the acls but you should tie it down to relevant TCP ports ie. 80, 443 and any others


3) i have put an explicit deny ip any any at end of acl but there is an implict one there anyway so the last line is not actually needed if you don't want it.


4) If you aren't using a proxy server and they go direct to internet addresses you will need to allow the 192.168.5.x clients to resolve DNS names which may mean them being able to query the same DNS servers as the rest of your internal clients. Depends how you have setup DNS.


Jon

sachinraja Wed, 01/27/2010 - 10:20
User Badges:
  • Red, 2250 points or more

Jon's explanation says it all... I think the configs given is what you would need..


but just to know, .. how many vlans you have on your network, apart from the guest or visitor vlans ? sometimes with large networks, apart from VACL, we can think of other high end technologies like Private VLANs  (isolated) or vrf-lite kind of designs for guest access... you obviously dont need these if your network is small and manageable... just came up in my mind and though of sharing..


Regards

Raj

mrashby Wed, 01/27/2010 - 11:22
User Badges:

Raj,

Thanks for your input! Jon has gotten me a good step of the way. I will have to configure this on about 9 switches so I think this is a relatively small and manageable setup.

Actions

This Discussion