Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
4
Helpful
7
Replies

WAN VLAN ACL

Chris McDaniel
Level 1
Level 1

‎12-04-2013 11:00 AM - edited ‎03-07-2019 04:55 PM

My apologies in advance if this has already been answered.

I have to limit a particular site from reaching other sites via our WAN cloud.  I believe the easiest is to "white list" the nets that are allowed and allow the implicit deny all take care of the rest.  So my question is this:

stack of 3750G (3) with a WAN VLAN configured

RTR----------OPTIMIZER----------3750G

If I apply the following ACL to the VLAN interface (VLAN 10) I should only allow access to the listed networks from the other networks behind the 3750, correct?

ip access-list extended COMP1_TO_COMP2

permit ip host 192.168.67.22 host 192.168.67.10  - WAN Router and BGP Peer

permit ip any host 192.168.67.20 --- Optimizer

permit ip any 10.1.0.0 0.0.255.255 --- net_1

permit ip any 10.10.0.0 0.0.255.255  --- net_2

permit ip any 10.40.0.0 0.0.255.255 --- net_3

ip access-list extended COMP2_TO_COMP1

permit ip host 192.168.67.10 host 192.168.67.22   - WAN Router and BGP Peer

permit ip host 192.168.67.20 --- Optimizer

permit ip 10.1.0.0 0.0.255.255 any -- Net_1

permit ip 10.10.0.0 0.0.255.255 any -- Net_2

permit ip 10.40.0.0 0.0.255.255 any -- Net_3

Interface VLAN10

ip address 192.168.67.22 255.255.255.0

ip access-list COMP1_TO_COMP2 OUT

ip access-list COMP2_TO_COMP1 IN

is this correct or am I completley wacked out???

Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎12-04-2013 11:29 AM

Chris

Not entirely sure what you are trying to do but you seem to have your acls the wrong way round. Vlan 10 uses the subnet 192.168.67.0/24  so -

1) the first line in each acl is redundant because the two IPs are in the same vlan so they won't go the vlan 10 interface

2) the acls are applied the wrong way. Inbound means traffic coming from clients on the vlan ie. 192.168.67.x clients and outbound is traffic going to the 192.168.67.x clients.

Jon

0 Helpful

Chris McDaniel
Level 1
Level 1
In response to Jon Marshall

‎12-04-2013 11:36 AM

Hi Jon - Thanks for the quick reply...

What I am trying to accomplish is to restrict all users at this to only be able to access certain subnets at other sites.  And restrict certain sites from accessing this site.  Its a legal thing...  So the rest of this config would look like:

Vlan 10

ip addr 192.168.67.22

vlan 2

ip addr 10.70.0.1/23

vlan 30

ip addr 10.70.30.1/23

There are no users in the VLAN10 on the WAN router, Optimizer, and the Core.  So based on your response I should apply the COMP2_TO_COMP1 ACL on the user subnets as an INBOUND and COMP1_to_COMP2 as an OUTBOUND on VLAN 10...

yes?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris McDaniel

‎12-04-2013 11:48 AM

Chris

COMP2_to_COMP1 as an OUTBOUND on VLAN 10...

Do you want 10.1.0.0/16, 10.10.0.0/16 and 10.40.0.0/16 to access the devices in vlan 10 ? If so yes.

Could you perhaps be a bit more specific in what you actually want ?

Sorry it's been a long day so it could just be me

Jon

0 Helpful

Chris McDaniel
Level 1
Level 1
In response to Jon Marshall

‎12-04-2013 11:59 AM

Hi Jon - no worries on the long day...

What I need to accomplish is:

10.70.0.0 users and devices should be blocked from accessing certain (100+) other subnets, while being able to access the contractual subnets and resources.  10.1.0.0 10.10.0.0 10.40.0.0 are some of the allowed subnets.  I assumed the ACL lines would be written like this:

ACL 1

permit ip 10.1.0.0 0.0.255.255 any -- this would be inbound from the WAN to the 10.70.0.0 subnets

ACL2

permit ip any 10.1.0.0 0.0.255.255 -- this would be from the site/user to the rest of the world

I'm thinking that ACL 1 should be applied IN on VLAN 10 and ACL 2 be applied IN on the user VLANs.....

Hope this clarifies...and thank you very much for your help!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris McDaniel

‎12-04-2013 12:10 PM

Chris

Okay i think i understand.

ACL1, if the traffic from the WAN has to go via the vlan 10 interface to get to the user vlans then yes apply it inbound on vlan 10.

ACL2 should indeed be applied inbound to the user vlans.

Jon

Chris McDaniel
Level 1
Level 1
In response to Jon Marshall

‎12-04-2013 12:40 PM

Hi Jon - Thanks again, I'll give it a try!

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Chris McDaniel

‎12-04-2013 12:16 PM

Hello Chris,

So the source of the traffic sits behind that VLAN right?

I certanly prefer to deny the inbound interface on the WAN interface but if you want to do it at the VLAN level then yes you should be good with that! Just remember to allow all the required traffic as this is not a stateful filtering check.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card