01-08-2013 02:10 PM
I have created a VLAN that I only want certain subnets or ranges of address to access:
ip access-list standard "CAMSEC"
10 permit 10.10.10.0 0.0.0.255
15 permit 10.82.20.0 0.0.0.255
20 permit 10.90.0.0 0.0.255.255
25 permit 10.86.0.0 0.0.255.255
40 deny 0.0.0.0 255.255.255.255
I then applien this to the particular VLAN with the "ip access-group CAMSEC in" command, however traffic from any subnet within my network is still allowed. Do I need an extended access list, and if so how would I create and apply this to the VLAN?
01-09-2013 05:01 AM
Looks like you have the ACL in the wrong direction. In this current application you would be affecting traffic originating from the VLAN you are trying to protect or going "IN" to the VLAN interface from the VLAN itself. If you remove it and apply it to the VLAN in an outbound direction you should most likely see your traffic start hitting the ACL. With that said, it would be best to apply an ACL closer to the source if at at possible.
01-10-2013 04:27 PM - edited 01-10-2013 04:28 PM
The trick with VLAN ACLs is that you need to view them from the perspective of the routing engine of the switch, not from the perspective of the VLAN, so incoming is traffic FROM that VLAN to other VLANs and outgoing is traffic TO that VLAN from other VLANs.
If you apply the ACL that you've specified in the outbound direction as Lorenzo suggested, the effect should be that only addresses permitted in your ACL will be allowed access to that VLAN. Traffic from that VLAN to other VLANs will be unaffected. (However replies from addresses outside the range you indicated would not be permitted due to the ACL, which may appear to the unknowing observer as a problem with traffic from that VLAN.)
Hope that helps.
04-29-2013 07:29 AM
I have apllied an access list to a student vlan 4 which permits essential services but has the implicit deny at the end to deny anything esle.
I apply it be going inot vlan 4 and using access-group 1-1 ext in
when its applied traffic from my vlan 50 which is phones VLAN is blocked?
my understading was that because my access list was applied to the vlan 4 none of the other vlans would be affected?