Re: 5406zl ACL Not Working When Applied to VLAN (673 Views)
Reply
Occasional Advisor
Posts: 10
Registered: ‎10-19-2011
Message 1 of 5 (787 Views)

5406zl ACL Not Working When Applied to VLAN

I have created a VLAN that I only want certain subnets or ranges of address to access:

 

ip access-list standard "CAMSEC"
   10 permit 10.10.10.0 0.0.0.255
   15 permit 10.82.20.0 0.0.0.255
   20 permit 10.90.0.0 0.0.255.255
   25 permit 10.86.0.0 0.0.255.255
   40 deny 0.0.0.0 255.255.255.255
   exit

 

I then applien this to the particular VLAN with the "ip access-group CAMSEC in" command, however traffic from any subnet within my network is still allowed. Do I need an extended access list, and if so how would I create and apply this to the VLAN?

Frequent Advisor
Posts: 52
Registered: ‎01-01-2013
Message 2 of 5 (770 Views)

Re: 5406zl ACL Not Working When Applied to VLAN

Looks like you have the ACL in the wrong direction.  In this current application you would be affecting traffic originating from the VLAN you are trying to protect or going "IN" to the VLAN interface from the VLAN itself.  If you remove it and apply it to the VLAN in an outbound direction you should most likely see your traffic start hitting the ACL.  With that said, it would be best to apply an ACL closer to the source if at at possible. 

Occasional Advisor
Posts: 10
Registered: ‎10-19-2011
Message 3 of 5 (758 Views)

Re: 5406zl ACL Not Working When Applied to VLAN

So by the looks of it the ACL would then not allow traffic out to any subnet other then those I specified?

Esteemed Contributor
Posts: 655
Registered: ‎04-03-2011
Message 4 of 5 (751 Views)

Re: 5406zl ACL Not Working When Applied to VLAN

[ Edited ]

Hi Ill3st0n3,

The trick with VLAN ACLs is that you need to view them from the perspective of the routing engine of the switch, not from the perspective of the VLAN, so incoming is traffic FROM that VLAN to other VLANs and outgoing is traffic TO that VLAN from other VLANs.

If you apply the ACL that you've specified in the outbound direction as Lorenzo suggested, the effect should be that only addresses permitted in your ACL will be allowed access to that VLAN. Traffic from that VLAN to other VLANs will be unaffected. (However replies from addresses outside the range you indicated would not be permitted due to the ACL, which may appear to the unknowing observer as a problem with traffic from that VLAN.)

Hope that helps.

Regards,
Paul
Highlighted
Contributor
Posts: 14
Registered: ‎04-19-2013
Message 5 of 5 (673 Views)

Re: 5406zl ACL Not Working When Applied to VLAN

I have apllied an access list to a student vlan 4 which permits essential services but has the implicit deny at the end to deny anything esle.

 

I apply it be going inot vlan 4 and using access-group 1-1 ext in

 

when its applied traffic from my vlan 50 which is phones VLAN is blocked?

 

 

my understading was that because my access list was applied to the vlan 4 none of the other vlans would be affected?

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.