cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
3
Replies

Acl on vlan interface question

dcarr3311
Level 1
Level 1

I'm a bit confused about the directon of ACL's on Vlan intervaces

I'm trying to deny vlan 301  from accesing any ip's on vlan 302 does this make sence?

interface Vlan301

description wireless users

ip address 192.168.177.126 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan302

description Training

ip address 192.168.177.190 255.255.255.192

ip access-group wireless_restirct out

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-list extended wireless_restrict

deny   ip 192.168.177.0 0.0.0.127 any log

permit ip any any

2 Accepted Solutions

Accepted Solutions

Edison Ortiz
Hall of Fame
Hall of Fame

That should work - just tried in the lab. BTW, remove the log keyword - it's not supported on catalyst switches.

ip access-list extended CISCO

deny   ip 10.2.129.0 0.0.0.255 any

permit ip any any

interface Vlan1

ip address 10.2.129.250 255.255.255.0

no ip redirects

interface Vlan100

ip address 192.168.100.2 255.255.255.0

ip access-group CISCO out

Extended IP access list CISCO

    10 deny ip 10.2.129.0 0.0.0.255 any (20 matches)

    20 permit ip any any

ping 10.2.129.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.129.5, timeout is 2 seconds:

..

Extended IP access list CISCO

    10 deny ip 10.2.129.0 0.0.0.255 any (25 matches)

    20 permit ip any any

View solution in original post

John Blakley
VIP Alumni
VIP Alumni

In edition to Edison's response, the easiest way that I remembered in/out directions was by subnet. If you're on the vlan 301, you subnet is going to be 192.168.177.0/25. If you have a user that's addressed in that range, their source is going to be 192.168.177.0/25 going to . You can deny inbound on that vlan matching that source:

access-list 101 deny ip 192.168.177.0 0.0.0.127 192.168.177.64 0.0.0.63

access-list 101 permit ip any any

inter vlan 301

ip access-group 101 in

The addresses on the subnet that use vlan 301 as a gateway will go IN to the svi...any svi that they come OUT of would be in the out direction.

John

HTH, John *** Please rate all useful posts ***

View solution in original post

3 Replies 3

Edison Ortiz
Hall of Fame
Hall of Fame

That should work - just tried in the lab. BTW, remove the log keyword - it's not supported on catalyst switches.

ip access-list extended CISCO

deny   ip 10.2.129.0 0.0.0.255 any

permit ip any any

interface Vlan1

ip address 10.2.129.250 255.255.255.0

no ip redirects

interface Vlan100

ip address 192.168.100.2 255.255.255.0

ip access-group CISCO out

Extended IP access list CISCO

    10 deny ip 10.2.129.0 0.0.0.255 any (20 matches)

    20 permit ip any any

ping 10.2.129.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.129.5, timeout is 2 seconds:

..

Extended IP access list CISCO

    10 deny ip 10.2.129.0 0.0.0.255 any (25 matches)

    20 permit ip any any

John Blakley
VIP Alumni
VIP Alumni

In edition to Edison's response, the easiest way that I remembered in/out directions was by subnet. If you're on the vlan 301, you subnet is going to be 192.168.177.0/25. If you have a user that's addressed in that range, their source is going to be 192.168.177.0/25 going to . You can deny inbound on that vlan matching that source:

access-list 101 deny ip 192.168.177.0 0.0.0.127 192.168.177.64 0.0.0.63

access-list 101 permit ip any any

inter vlan 301

ip access-group 101 in

The addresses on the subnet that use vlan 301 as a gateway will go IN to the svi...any svi that they come OUT of would be in the out direction.

John

HTH, John *** Please rate all useful posts ***

thanks guys!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: