01-27-2010 08:43 AM - edited 03-06-2019 09:28 AM
All,
I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.
Solved! Go to Solution.
01-27-2010 09:02 AM
mrashby wrote:
All,
I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.
If they are in a separate vlan then the easiest things to do is use a standard acl on L3 vlan interface. So you need to deny traffic from this vlan to any other internal vlans then allow traffic to everything else because the Internet addresses could be anything so
cofference room vlan 5 = 192.168.5.0/24
internal vlans = vlan 10 -> 192.168.1.0/24
vlan 11 -> 192.168.2.0/24
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list deny ip any any
int vlan 5
ip access-group 1101 in
Couple of things to note
1) if internet access is done via a proxy then your acl is a lot simpler ie.
access-list 101 permit ip 192.168.5.0 0.0.0.255 host
access-list 101 deny ip any any
2) i have used ip in the acls but you should tie it down to relevant TCP ports ie. 80, 443 and any others
3) i have put an explicit deny ip any any at end of acl but there is an implict one there anyway so the last line is not actually needed if you don't want it.
4) If you aren't using a proxy server and they go direct to internet addresses you will need to allow the 192.168.5.x clients to resolve DNS names which may mean them being able to query the same DNS servers as the rest of your internal clients. Depends how you have setup DNS.
Jon
01-27-2010 09:02 AM
mrashby wrote:
All,
I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.
If they are in a separate vlan then the easiest things to do is use a standard acl on L3 vlan interface. So you need to deny traffic from this vlan to any other internal vlans then allow traffic to everything else because the Internet addresses could be anything so
cofference room vlan 5 = 192.168.5.0/24
internal vlans = vlan 10 -> 192.168.1.0/24
vlan 11 -> 192.168.2.0/24
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list deny ip any any
int vlan 5
ip access-group 1101 in
Couple of things to note
1) if internet access is done via a proxy then your acl is a lot simpler ie.
access-list 101 permit ip 192.168.5.0 0.0.0.255 host
access-list 101 deny ip any any
2) i have used ip in the acls but you should tie it down to relevant TCP ports ie. 80, 443 and any others
3) i have put an explicit deny ip any any at end of acl but there is an implict one there anyway so the last line is not actually needed if you don't want it.
4) If you aren't using a proxy server and they go direct to internet addresses you will need to allow the 192.168.5.x clients to resolve DNS names which may mean them being able to query the same DNS servers as the rest of your internal clients. Depends how you have setup DNS.
Jon
01-27-2010 10:20 AM
Jon's explanation says it all... I think the configs given is what you would need..
but just to know, .. how many vlans you have on your network, apart from the guest or visitor vlans ? sometimes with large networks, apart from VACL, we can think of other high end technologies like Private VLANs (isolated) or vrf-lite kind of designs for guest access... you obviously dont need these if your network is small and manageable... just came up in my mind and though of sharing..
Regards
Raj
01-27-2010 11:22 AM
Raj,
Thanks for your input! Jon has gotten me a good step of the way. I will have to configure this on about 9 switches so I think this is a relatively small and manageable setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide