Cisco 3750 VLan ACL Not Working.

[Phobos1821]

I have three vlans on the switches in our network.
Vlans
1 (10.0.0.0/24)
10 (192.168.1.0/24)
20 (192.168.2.0/24)

The 3750 has ip routing enabled, and vlan interfaces with ip addresses to route traffic. All traffic is allowed between all VLANS. I want to restrict VLAN1 from all but a few management PC's (Mainly due to being able to telnet / ssh / http into the switches) to protect them from tampering. I attempted to create a simple ACL, and throw it on the VLAN1's interface inbound to prevent the traffic. This denys ALL traffic whatsoever.

Here's the confusing part. If i put the same ACL on the OUBOUND interface of VLAN1, it works. It restricts traffic to all but my specified computers. My only problem here is bandwidth loss. It allows a half communication all the way to the device, and almost all the way back before filtering it. Anybody have any ideas?

Here is the sample config.

SHO IP ROUTE
Gateway of last resort is 192.168.1.1 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Vlan1
C 192.168.1.0/24 is directly connected, Vlan10
C 192.168.2.0/24 is directly connected, Vlan20
S* 0.0.0.0/0 [1/0] via 192.168.1.1

CONFIG

!
interface Vlan1
ip address 10.0.0.2 255.255.255.0
ip access-group 101 in
ip access-group 1 out
end

interface Vlan10
ip address 192.168.1.2 255.255.255.0
end

!
interface Vlan20
ip address 192.168.2.2 255.255.255.0
ip helper-address 192.168.1.68
ip helper-address 192.168.1.67
end

access-list 1 permit 192.168.1.67
access-list 1 permit 192.168.1.89
access-list 1 permit 192.168.1.41
access-list 1 permit 192.168.1.45
access-list 1 permit 192.168.1.58
access-list 1 permit 192.168.1.30

 

[vipergg]

Not sure what you have there , you have acl 101 as inbound,don't see the ACL for 101 attached so can't really speculate. Need to see ACL 101 . If you put ACL 1 on the inbound it would block anything because you are permitting addresses that aren't even on that vlan and a ACL always has am inplicit deny all at the end of the list . So devices on vlan 1 would be blocked . If you are trying to block the address from reaching something on vlan 1 then you must use an out (towards the vlan 1 devices) ACL . Inbound would be if you wanted to block vlan 1 devices from reaching something on the other vlans .

 

[lui3]

if you want to deny ssh telnet and http traffic to the management interface of the switches use the following acl and configuration

access-list 1 permit x.x.x.x x.x.x.x for ssh/telnet/http
access-list 1 permit x.x.x.x x.x.x.x
access-list 1 permit x.x.x.x x.x.x.x
access-list 1 permit x.x.x.x x.x.x.x

access-list 2 permit x.x.x.x x.x.x.x for snmp

you can merge these two acls if you want

line vty 0 15
access-class 1 in

or even better if you want to allow ssh only

line vty 0 15
transport input ssh
access-class in

other alternative

ip http server access-class 1 in

and for snmp

snmp server community public RO 2

all these will help limit the access to your switch management interface without having to apply acls to the vlan interfaces. remeber apply the restrictive acl as close to the source as possible. in this case the line is closer than the vlan interface. much simpler and easier to replicate across multiple devices....

good luck


Lui3
CCNP,CCDA,A+/Net+
Cisco Wireless Specialization