Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please Help. VLAN ACL not working, where to I apply it??

Status
Not open for further replies.
rocketlauncher

rocketlauncher

Programmer
Nov 11, 2000
110
US
Hi All,

Hope someone can help me out on this one.

I have the following:

-3 Distribution Switches (3550’s)
-4 Access switches (2950’s)
-6 VLAN’s (13,14,15,16,17,18) which span all switches.

Intervlan routing is working flawlessly, but I need to lock down access to VLAN 13. Basically VLAN 15 should be the only one allowed to access a server that’s located in VLAN 13, all other intervlan communication should stay the same.

But I have no idea where to apply the ACL. Do I have to apply it in all my Distribution Switches under VLAN 13 interface 13? Or only in one switch? Also, does it have to be inbound or outbound?

I tried the following ACL, but didn’t work. I could still ping, rdp, etc..from VLAN 15.

access-list 110 permit ip 172.16.15.0 0.0.0.255 host 172.16.13.16
access-list 110 deny ip 172.16.15.0 0.0.0.255 172.16.13.0 0.0.0.255
access-list 110 permit ip any any

int vlan 13
ip access-group 110 out

Also, what type ACL, should I apply, VACL, RACL or PACL?

Any help is greatly appreciated.

Thanks,
Rocket
 
Sort by date Sort by votes
Your access list is permitting all traffic. All traffic will match your permit statements. The second statement is not doing anything because any traffic from the 15 vlan would match the first line, and any traffic from other vlans would match the "permit any any" statement.

access-list 110 permit ip 172.16.15.0 0.0.0.255 host 172.16.13.16

The above allows all hosts in the 172.16.15.0 network to contact host 172.16.13.16. You have to understand that once a match is found in an access-list, subsequent statements are ignored, so any host in the 172.16.15.0 would find a match on the first line and IGNORE subsequent lines:

access-list 110 deny ip 172.16.15.0 0.0.0.255 172.16.13.0 0.0.0.255

Thus rendering the above statement useless. If you want to block traffic from all other vlans, you need to remove your permit ip any any statement, and change the first statement to be whatever host you want in vlan 15 to access vlan 13, e.g.:

access-list 110 permit ip 172.16.15.10 0.0.0.0 host 172.16.13.16

Sounds to me like you want to block all access to 13 except for one host on 15???

Finally, and maybe someone will confirm whether I'm understanding correctly, but I believe you want to apply the access list to INBOUND traffic to the 113 vlan, i.e.:

ip access-group 110 in
 
Upvote 0 Downvote
Sorry, I actually misspoke (typed) something. Your access-list is permitting ALMOST all traffic. The only thing it is blocking is vlan 15 to vlan 13 EXCEPT to host 172.16.13.16. My understanding is that you want to block all traffic to vlan 13, except for access to a single host from vlan 15 (sorry, I hope that clarifies things). My understanding of what you want to accomplish would be translated into this single-line access-list:

access-list 110 permit ip 172.16.15.0 0.0.0.255 host 172.16.13.16

All other traffic would be denied by the "implicit" deny. There's no need to deny other traffic if this is the only thing you want to allow.


 
Upvote 0 Downvote
Hi chipk,

Thanks for your quick response. I get it, I need to add statements to deny the other VLANS. Thanks.

And, yes that is correct, I want to deny all traffic from other VLANS into VLAN 13, VLAN 15 should only be able to access the 172.16.13.16 host in VLAN 13.

One thing I forgot to mention is that VLAN 13 needs to still be accessible from a PTP remote site, which is in a 10.1.1.0/24 subnet which is working fine (no VLAN defined there) and I have some services that need to be accesed from internet into VLAN 13. That's why I had the permit ip any any statement at the end of the access-list.

access-list 110 permit ip 172.16.15.0 0.0.0.255 host 172.16.13.16
access-list 110 deny ip 172.16.15.0 0.0.0.255 172.16.13.0 0.0.0.255
access-list 110 permit ip any any

I thougt by defining the first two statements, would match VLAN 15 to access only that host (statement 1) and if someone from VLAN 15 tried to access a different host in VLAN 13 would be denied (statement 2), but it doesn't happen, I can still access all other servers in VLAN 13 from VLAN 15

By the way, I tried assigning the access list to the outside of the vlan 13 interface, but it killed all communication within VLAN 13.

Maybe I'm misunderstading the behavior of outsie/inside on a L3 Switch?

Thanks all your help.

Rocket.
 
Upvote 0 Downvote
I'll have to look this up, but I believe once traffic makes a match in an access list, the processing of that access-list stops. Access-lists are trick, though, which is why I need to check on that. It's also why I wanted you to get a second opinion on whether to apply the list IN or OUT, and I guess you confirmed what the correct answer was there.
 
Upvote 0 Downvote
To accomplish what he wants to do all he really needed is to have the first line in his acl which allows vlan 15 to that one address , the acl has a implicit deny all at the end which will block everything else , he had it correct on vlan 13 in the out direction he just did not need the last 2 statements in the ACL . He permits the 15 net and everything else is blocked . If you have multiple routers with interface vlan 13 on it then yes you would have to apply it on all layer 3 SVi's on your 3550's which is where I am assuming your routing is being done . Not knowing how the net is setup this is speculation though.
 
Upvote 0 Downvote
Hi Guys,

I appreciate all your help.

Yes, all routing takes place on the L3 Switches. I'll go ahead and make the suggested changes and try it again.

I'll let you know how it goes.


Rocket.
 
Upvote 0 Downvote
This can be a bit tricky, with 3 distribution layer switches---do these all have only the necessary links to the 2950's for intervlan routing, or are there also redundant links, like with HSRP configured? HSRP needs UDP port 1985 permitted to function properly...
Specifically...
Q. HSRP stops working when an Access Control List (ACL) is applied. How can I permit HSRP through an ACL?

A. HSRP hello packets are sent to multicast address 224.0.0.2 using UDP port 1985. Whenever an ACL is applied to an HSRP interface, ensure that packets destined to 224.0.0.2 on UDP port 1985 are permitted.

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
203
badwolf1686
B
jobsp90
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
211
DavetheChef
DavetheChef
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
220
CPM86
CPM86
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
673
BIS
BIS
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
524
Jared R
Jared R

Part and Inventory Search

Sponsor

Back
Top