Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1597
Views
0
Helpful
16
Replies

VLAN ACL's

edw
Level 1
Level 1

‎08-19-2009 04:12 AM - last edited on ‎03-25-2019 04:07 PM by Community Manager

Hi,

I have a intreasting question. I have a Catalyst 6006 with MSFC card. I run, say 4 VLANS.

I want to, say, block VLAN 3 from the rest but allow say a VLAN 3 machine to access HTTPS and DNS. What is the best way and most secure way of doing it ? I seem to have to make two groups in and out on my router before traffic will flow ?

ip access-list standard Events

permit 10.1.3.0 0.0.0.255

deny 10.0.0.0 0.255.255.255

permit any

interface vlan 3

ip access-group Events in

ip access-group Events out

Seems a odd way to get a ACL to work ? Having to get in and out duplication??

Another one is say to lock it down better

ip access-list standard Events-IN

permit udp host 10.1.3.6 gt 1024 any eq domain

permit tcp host 10.1.3.6 any eq 443

deny ip 10.1.3.0 0.0.0.255 any

permit ip any any

ip access-list standard Events-OUT

permit udp any eq domain host 10.1.3.6 gt 1024

permit tcp any eq 443 host 10.1.3.6

deny ip any 10.1.3.0 0.0.0.255

permit ip any any

interface vlan 3

ip access-group Events-IN in

ip access-group Events-OUT out

Why do I have to do it like this - isn't this pointless ?? If I only do Events-IN no traffic seems to go through ?

Am I misunderstanding things ?

Thanks for any help

Ed

Labels:
0 Helpful
16 Replies 16

johnspaulding
Level 1
Level 1
In response to mattwilsonuk

‎09-07-2009 06:38 AM

Well than your best (most secure way) is to use a VACL with vlan maps and permit traffic both ways like matt is saying. If you look at my first post you can see how to do this. Dont worry, Reading to much gets the best of all of us :). Never be afraid to ask questions.

0 Helpful

edw
Level 1
Level 1
In response to johnspaulding

‎12-08-2009 05:59 AM

Hi,

Thanks for the reply - have tried this and it works.

I still don't fully understand why Cisco made such a intense command. I mean 98% of traffic is going to need two entries - one one way and the duplicat in verse the other. Therefore it would have made sense to say add a Return parameter and the command just add it in as part of the same line ??

Thanks


Ed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card