cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor III

Using ACL's to block one Vlan from all others

Jump to solution


I have a 1335 I have vlan 1,3,4 and 24 programmed in. I need to block access from vlan 3 to all other subnets but still allow it out to the internet. I do not want these ACL's to disrupt other intervlan traffic vlan, networks for vlan 1 and 4 need to have no interuption. Here is the config I have programmed does it look correct?

!

interface vlan 1

  description Customer_Lan

  ip address  192.168.2.1  255.255.255.0

  ip dhcp relay destination 192.168.2.5

  ip access-policy Private

  ip route-cache express

  no shutdown

!

interface vlan 3

  description Guest-Wireless

  ip address  192.168.3.1  255.255.255.0

  ip access-policy Private

  ip route-cache express

  no shutdown

!

interface vlan 4

  description Voice

  ip address  192.168.4.1  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 24

  description INET

  ip address  XX.XX.XX.XX  255.255.255.248

  ip access-policy Public

  ip route-cache express

  no shutdown

!

!

!

!

!

!

!

ip access-list standard PUBLIC

  permit any

!

!

ip access-list extended Block_Vlan_3

  deny   ip 192.168.3.0 0.0.0.255  192.168.1.0 0.0.0.255

  deny   ip 192.168.3.0 0.0.0.255  192.168.2.0 0.0.0.255

  deny   ip 192.168.3.0 0.0.0.255  192.168.4.0 0.0.0.255

  permit ip any  any

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip policy-class Private

  allow list Block_3

  nat source list wizard-ics interface vlan 24 overload

  allow list self self

!

ip policy-class Public

  allow list PUBLIC

!

!

Thanks!

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
New Contributor III

Re: Using ACL's to block one Vlan from all others

Jump to solution

When you use the 'deny' statement in an ACL, you are essentially telling the ACL to ignore that traffic, or "don't match it". This will not prevent ACLs listed below it from matching it and taking an action on. This is what is happening here.

I would suggest the following:

ip access-list extended restrict-3-list

  permit ip any 192.168.2.0 0.0.0.255

  permit ip any 192.168.4.0 0.0.0.255

!

!

!

ip policy-class vlan-3-policy

  discard list restrict-3-list

  nat source list wizard-ics interface vlan 24 overload

!

!

!

interface vlan 3

  description Guest-Wireless

  ip address  192.168.3.1  255.255.255.0

  ip access-policy vlan-3-policy

  ip route-cache express

  no shutdown

View solution in original post

0 Kudos
Reply
2 Replies
Highlighted
Honored Contributor
Honored Contributor

Re: Using ACL's to block one Vlan from all others

Jump to solution

jtphoneman wrote:




I have a 1335 I have vlan 1,3,4 and 24 programmed in. I need to block access from vlan 3 to all other subnets but still allow it out to the internet. I do not want these ACL's to disrupt other intervlan traffic vlan, networks for vlan 1 and 4 need to have no interuption. Here is the config I have programmed does it look correct?



!


interface vlan 1


  description Customer_Lan


  ip address  192.168.2.1  255.255.255.0


  ip dhcp relay destination 192.168.2.5


  ip access-policy Private


  ip route-cache express


  no shutdown


!


interface vlan 3


  description Guest-Wireless


  ip address  192.168.3.1  255.255.255.0


  ip access-policy Private


  ip route-cache express


  no shutdown


!


interface vlan 4


  description Voice


  ip address  192.168.4.1  255.255.255.0


  ip route-cache express


  no shutdown


!


interface vlan 24


  description INET


  ip address  XX.XX.XX.XX  255.255.255.248


  ip access-policy Public


  ip route-cache express


  no shutdown


!


!


!


!


!


!


!


ip access-list standard PUBLIC


  permit any


!


!


ip access-list extended Block_Vlan_3


  deny   ip 192.168.3.0 0.0.0.255  192.168.1.0 0.0.0.255


  deny   ip 192.168.3.0 0.0.0.255  192.168.2.0 0.0.0.255


  deny   ip 192.168.3.0 0.0.0.255  192.168.4.0 0.0.0.255


  permit ip any  any


!


ip access-list extended self


  remark Traffic to NetVanta


  permit ip any  any     log


!


ip policy-class Private


  allow list Block_3


  nat source list wizard-ics interface vlan 24 overload


  allow list self self


!


ip policy-class Public


  allow list PUBLIC


!


!



Thanks!


You're making t a bit more difficult than it needs to be.

ip access-list extended restrict-3-list

  deny ip any 192.168.1.0 0.0.0.255

  deny ip any 192.168.2.0 0.0.0.255

  deny ip any 192.168.4.0 0.0.0.255

  permit ip any any

Alternatively, if you'll be adding other 192.168.x.x subnets in the future...

  deny ip any 192.168.0.0 0.0.255.255

  permit ip any any

ip policy-class vlan-3-policy

  allow list restrict-3-list

  nat source list wizard-ics interface vlan 24 overload

!

interface vlan 3

  description Guest-Wireless

  ip address  192.168.3.1  255.255.255.0

  ip access-policy vlan-3-policy

  ip route-cache express

  no shutdown

!


I'd leave off the "allow list self self" unless you want to grant access to the Adtran device to your guest wireless users.

You can probably get away with just putting VLAN 3 in a separate policy-class than "Private" with no ACL at all, as traffic between classes is denied by default but adding the ACL gives additional security.

0 Kudos
Reply
Highlighted
New Contributor III

Re: Using ACL's to block one Vlan from all others

Jump to solution

When you use the 'deny' statement in an ACL, you are essentially telling the ACL to ignore that traffic, or "don't match it". This will not prevent ACLs listed below it from matching it and taking an action on. This is what is happening here.

I would suggest the following:

ip access-list extended restrict-3-list

  permit ip any 192.168.2.0 0.0.0.255

  permit ip any 192.168.4.0 0.0.0.255

!

!

!

ip policy-class vlan-3-policy

  discard list restrict-3-list

  nat source list wizard-ics interface vlan 24 overload

!

!

!

interface vlan 3

  description Guest-Wireless

  ip address  192.168.3.1  255.255.255.0

  ip access-policy vlan-3-policy

  ip route-cache express

  no shutdown

View solution in original post

0 Kudos
Reply