2 Replies Latest reply on Jul 24, 2013 8:03 AM by jtphoneman

    Using ACL's to block one Vlan from all others

    jtphoneman New Member


      I have a 1335 I have vlan 1,3,4 and 24 programmed in. I need to block access from vlan 3 to all other subnets but still allow it out to the internet. I do not want these ACL's to disrupt other intervlan traffic vlan, networks for vlan 1 and 4 need to have no interuption. Here is the config I have programmed does it look correct?

       

      !

      interface vlan 1

        description Customer_Lan

        ip address  192.168.2.1  255.255.255.0

        ip dhcp relay destination 192.168.2.5

        ip access-policy Private

        ip route-cache express

        no shutdown

      !

      interface vlan 3

        description Guest-Wireless

        ip address  192.168.3.1  255.255.255.0

        ip access-policy Private

        ip route-cache express

        no shutdown

      !

      interface vlan 4

        description Voice

        ip address  192.168.4.1  255.255.255.0

        ip route-cache express

        no shutdown

      !

      interface vlan 24

        description INET

        ip address  XX.XX.XX.XX  255.255.255.248

        ip access-policy Public

        ip route-cache express

        no shutdown

      !

      !

      !

      !

      !

      !

      !

      ip access-list standard PUBLIC

        permit any

      !

      !

      ip access-list extended Block_Vlan_3

        deny   ip 192.168.3.0 0.0.0.255  192.168.1.0 0.0.0.255

        deny   ip 192.168.3.0 0.0.0.255  192.168.2.0 0.0.0.255

        deny   ip 192.168.3.0 0.0.0.255  192.168.4.0 0.0.0.255

        permit ip any  any

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip policy-class Private

        allow list Block_3

        nat source list wizard-ics interface vlan 24 overload

        allow list self self

      !

      ip policy-class Public

        allow list PUBLIC

      !

      !

       

      Thanks!

        • Re: Using ACL's to block one Vlan from all others
          jayh Hall_of_Fame

          jtphoneman wrote:

           


          I have a 1335 I have vlan 1,3,4 and 24 programmed in. I need to block access from vlan 3 to all other subnets but still allow it out to the internet. I do not want these ACL's to disrupt other intervlan traffic vlan, networks for vlan 1 and 4 need to have no interuption. Here is the config I have programmed does it look correct?

           

          !

          interface vlan 1

            description Customer_Lan

            ip address  192.168.2.1  255.255.255.0

            ip dhcp relay destination 192.168.2.5

            ip access-policy Private

            ip route-cache express

            no shutdown

          !

          interface vlan 3

            description Guest-Wireless

            ip address  192.168.3.1  255.255.255.0

            ip access-policy Private

            ip route-cache express

            no shutdown

          !

          interface vlan 4

            description Voice

            ip address  192.168.4.1  255.255.255.0

            ip route-cache express

            no shutdown

          !

          interface vlan 24

            description INET

            ip address  XX.XX.XX.XX  255.255.255.248

            ip access-policy Public

            ip route-cache express

            no shutdown

          !

          !

          !

          !

          !

          !

          !

          ip access-list standard PUBLIC

            permit any

          !

          !

          ip access-list extended Block_Vlan_3

            deny   ip 192.168.3.0 0.0.0.255  192.168.1.0 0.0.0.255

            deny   ip 192.168.3.0 0.0.0.255  192.168.2.0 0.0.0.255

            deny   ip 192.168.3.0 0.0.0.255  192.168.4.0 0.0.0.255

            permit ip any  any

          !

          ip access-list extended self

            remark Traffic to NetVanta

            permit ip any  any     log

          !

          ip policy-class Private

            allow list Block_3

            nat source list wizard-ics interface vlan 24 overload

            allow list self self

          !

          ip policy-class Public

            allow list PUBLIC

          !

          !

           

          Thanks!

          You're making t a bit more difficult than it needs to be.

           

          ip access-list extended restrict-3-list

            deny ip any 192.168.1.0 0.0.0.255

            deny ip any 192.168.2.0 0.0.0.255

            deny ip any 192.168.4.0 0.0.0.255

            permit ip any any

           

          Alternatively, if you'll be adding other 192.168.x.x subnets in the future...

           

            deny ip any 192.168.0.0 0.0.255.255

            permit ip any any

           

          ip policy-class vlan-3-policy

            allow list restrict-3-list

            nat source list wizard-ics interface vlan 24 overload

          !

          interface vlan 3

            description Guest-Wireless

            ip address  192.168.3.1  255.255.255.0

            ip access-policy vlan-3-policy

            ip route-cache express

            no shutdown

          !


          I'd leave off the "allow list self self" unless you want to grant access to the Adtran device to your guest wireless users.

           

          You can probably get away with just putting VLAN 3 in a separate policy-class than "Private" with no ACL at all, as traffic between classes is denied by default but adding the ACL gives additional security.

            • Re: Using ACL's to block one Vlan from all others
              jtphoneman New Member

              When you use the 'deny' statement in an ACL, you are essentially telling the ACL to ignore that traffic, or "don't match it". This will not prevent ACLs listed below it from matching it and taking an action on. This is what is happening here.

               

              I would suggest the following:

               

              ip access-list extended restrict-3-list

                permit ip any 192.168.2.0 0.0.0.255

                permit ip any 192.168.4.0 0.0.0.255

              !

              !

              !

              ip policy-class vlan-3-policy

                discard list restrict-3-list

                nat source list wizard-ics interface vlan 24 overload

              !

              !

              !

              interface vlan 3

                description Guest-Wireless

                ip address  192.168.3.1  255.255.255.0

                ip access-policy vlan-3-policy

                ip route-cache express

                no shutdown