Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Simple ACL question

Hi there,

I want to implement some ACLS on my VLANS

These ACLS will either block all traffic from VLAn to VLAN or allow all traffic from VLAN TO VLAN

her is what I came up with and would appreciate if anyone could advise.

Vlan 1 IP 192.168.1.1

Vlan 2 IP 192.168.2.1

Vlan 3 IP 192.168.3.1

ACL Permit all traffic from vlan 1 to Vlan 2 (applied on VLAN 2)

access-list 1 Permit 192.168.1.0 0.0.0.255

access-group 1 out

ACL Deny all traffic from Vlan 2 to VLAN 3 (applied on VLAN 3)

Access-list 2 deny 192.168.2.0 0.0.0.255

access-group 2 out

Is it best to place all of the ACLS on the intervlan routing Core? or on every single switch?

thanks again!

4 REPLIES
Hall of Fame Super Silver

Re: Simple ACL question

Erick

The access lists as you have configured them - your access list 1 permits 192.168.1.0 but does not permit anything else. So VLAN 3 is denied from communicating with VLAN 2 already and you may not need access list 2. But access list 2 as you have configured it will explicitly deny 192.168.2.0 and then the implicit deny will deny everything else. So if you apply access list 2 as configured it will have the result of denying ALL traffic.

The question of where to place access lists can become complicated. When dealing with standard access lists it is generally best practice to place them as close to the destination as is possible, which would usually mean on every switch rather than just on the core. If you configure extended access lists it may be more practical to place them on the core.

HTH

Rick

New Member

Re: Simple ACL question

thanks for the response, In actuality the access lists will have a series of denys and permits for each vlan to vlan. i wanted to make sure I had the syntax correct and as simple as possible

ACL 1 would look more like this

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 deny 192.168.4.0 0.0.0.255

then the implied deny, although it would deny the 3rd line if it werent in there.

In some instances I may have to do the implied permit statment at the end and could eliminate the permit statements in that ACl

I wanted to make sure the acls would block or permit all traffic from a vlan to a vlan with the above syntaxes. ie every ip address from 192.168.1.1 to 192.168.1.255 would be permited?

I would then assign the appropropriate ACL to its corresponding interface (VLAN)

SHould I do an access-group 1 in and out? to make sure all traffice between the vlans is blocked or permitted? or just the out?

Thanks

New Member

Re: Simple ACL question

one more quick question,

If I apply access-list 1 only to vlan 2 via

access group 1 out

those statements are only true for vlan 2?

even though there are references to other vlans.

Im 99.9% sure thats the case

Hall of Fame Super Silver

Re: Simple ACL question

Erick

If you apply the access list to VLAN 2 interface then the only traffic that it affects is traffic going through the VLAN 2 interface. It may have statements for addresses of various other VLANs but unless the traffic is passing through the VLAN 2 interface it will not be impacted by the access list.

HTH

Rick

148
Views
0
Helpful
4
Replies
CreatePlease login to create content