Ok So ive got multiple VLANS on a L3 switch and I basically want to use a VLAN Access List in order to block communication between each of the VLANS, except one which will provide internet connectivity (there may be a better way to do it?).
Basically this is waht I have:
ip access-list extended PermitGateway
##permit ip 10.8.4.0 0.0.0.7 host 10.8.4.1
permit ip 10.8.4.0 0.0.0.7 host (IP of router in different VLAN)
vlan access-map Internet 10
match ip address PermitGateway
I then assign this to the VLAN with the network 10.8.40/29.
The line that I have hashed out In realised that that meant it could send the traffic to any VLAN as that is saying allow traffic through the default gateway of the VLAN?
In writing this my thought is that Ive got to write a list of subnet destinations to deny? (which is quite a lot) rather than just permitting traffic to the one IP? as to get there it must have already left the VLAN via the default gateway?
VACL's are primarily used when you are trying to permit/deny traffic inside of a VLAN (Deny host 1 in VLAN 10 to host 2 in VLAN 10). For your purposes, It would seem a standard ACL applied to the Layer 3 interfaces would work just fine to block communications between the VLANs.
You do not need to allow traffic to the default gateway because the destination IP address in these packets is not the default gateway address, it is that of the end-device.
Think about the packet headers, this is what the ACL is making a match based on (source address and destination address) and not the intermediate devices - you allowing the packet to reach the gateway IP address means the host can directly reach the default gateway, it doesn't mean that they can reach any host that the gateway can route to.
Ok FINALLY got this sorted I dont know why I was having so many issues, I think id left some conflicting ACLS in there from previous attempts or something.
anyway my final rule as follows
access-list 101 deny ip any 10.8.0.0 0.0.255.255 #Ive got a lot of subnets to block
access-list 101 permit ip any any
Then on the interfaces
ip access-group 101 in
I think I had messed up my knowledge of the in / out when specifiying on the interface! as am i right in thinkign that "in" means traffic comming in to the interface not "out"? That would seem to be the case else my rule would block internet acess
Glad you were able to get your problem solved. Just remember that the first network address or IP of your ACL is the source address/network and the second is the destination - I believe that is what you were mixing up with your first ACL.
In does generally mean, IN and out does generally mean, OUT - However SVIs can often confuse the best of us.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...