cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2608
Views
5
Helpful
3
Replies

Simple VACL Config

mrashby
Level 1
Level 1

All,

I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

mrashby wrote:

All,

I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.

If they are in a separate vlan then the easiest things to do is use a standard acl on L3 vlan interface. So you need to deny traffic from this vlan to any other internal vlans then allow traffic to everything else because the Internet addresses could be anything so

cofference room vlan 5 = 192.168.5.0/24

internal vlans = vlan 10 -> 192.168.1.0/24

                        vlan 11 -> 192.168.2.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list deny ip any any

int vlan 5

ip access-group 1101 in

Couple of things to note

1) if internet access is done via a proxy then your acl is a lot simpler ie.

   access-list 101 permit ip 192.168.5.0 0.0.0.255 host

   access-list 101 deny ip any any

2)  i have used ip in the acls but you should tie it down to relevant TCP ports ie. 80, 443 and any others

3) i have put an explicit deny ip any any at end of acl but there is an implict one there anyway so the last line is not actually needed if you don't want it.

4) If you aren't using a proxy server and they go direct to internet addresses you will need to allow the 192.168.5.x clients to resolve DNS names which may mean them being able to query the same DNS servers as the rest of your internal clients. Depends how you have setup DNS.

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

mrashby wrote:

All,

I have a 6509 access switch that I want to configure a VACL on. I want people in my conference rooms to only be able to go to the Internet. I figured I would do this with a VACL, if someone knows a better way please let me know. I want to put all of the conference room ports in a separate VLAN and configure a VACL for that VLAN to only allow traffic coming from that VLAN to go to the Internet. Can someone point me in the right direction of how I might accomplish this. Thanks.

If they are in a separate vlan then the easiest things to do is use a standard acl on L3 vlan interface. So you need to deny traffic from this vlan to any other internal vlans then allow traffic to everything else because the Internet addresses could be anything so

cofference room vlan 5 = 192.168.5.0/24

internal vlans = vlan 10 -> 192.168.1.0/24

                        vlan 11 -> 192.168.2.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list deny ip any any

int vlan 5

ip access-group 1101 in

Couple of things to note

1) if internet access is done via a proxy then your acl is a lot simpler ie.

   access-list 101 permit ip 192.168.5.0 0.0.0.255 host

   access-list 101 deny ip any any

2)  i have used ip in the acls but you should tie it down to relevant TCP ports ie. 80, 443 and any others

3) i have put an explicit deny ip any any at end of acl but there is an implict one there anyway so the last line is not actually needed if you don't want it.

4) If you aren't using a proxy server and they go direct to internet addresses you will need to allow the 192.168.5.x clients to resolve DNS names which may mean them being able to query the same DNS servers as the rest of your internal clients. Depends how you have setup DNS.

Jon

sachinraja
Level 9
Level 9

Jon's explanation says it all... I think the configs given is what you would need..

but just to know, .. how many vlans you have on your network, apart from the guest or visitor vlans ? sometimes with large networks, apart from VACL, we can think of other high end technologies like Private VLANs  (isolated) or vrf-lite kind of designs for guest access... you obviously dont need these if your network is small and manageable... just came up in my mind and though of sharing..

Regards

Raj

Raj,

Thanks for your input! Jon has gotten me a good step of the way. I will have to configure this on about 9 switches so I think this is a relatively small and manageable setup.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco