ACL on 4507R VLANs

Hi All,
I wanted to implement a Security ACL on VLAN for 4507R (IOS 12.24 EWA) i.e. I want to regulate the traffic to and from from the VLANs.
However when I implemented the normal Extended ACL I was surprized to find that it was not acting as it should on a Routed Port or L-2 Port.
However when cross checked in the config guide, I guess that its a VLAN MAP that needs to be used rather than a normal ACL to filter traffic to and fro on a VLAN in 4507R.
Am I correct over here or am I missing something out there?
Any help would be appreciable.
Kind Regards,
Wilson Samuel

Hi Bosalaza,
My query is:-
1. Is VLAN Map the only answer to filter traffic in 4507s??
2. Wont the traditional ACL implementation work in 4507s??
Regards,
Wilson SAmuel

Similar Messages

  • ACL's in VLAN Catalyst 3550

    Hello !!
    We have a Switch Catalyst 3550 - 12G
    IOS : Version 12.2(25)SEA
    I need to implement ACL security in VLAN's. But, it did't work.
    VLAN 11 Definition :
    interface Vlan11
    description VLAN - RED WAN
    ip address 192.168.21.1 255.255.255.0
    Interface association (g0/7) with VLAN 11 and extended ACL (ip1)
    interface GigabitEthernet0/7
    switchport access vlan 11
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 11
    switchport mode dynamic desirable
    ip access-group ip1 in
    ACL definition :
    ip access-list extended ip1
    permit ip 192.168.70.0 0.0.0.255 any
    deny ip any any
    This configuration must allow ip communication between 192.168.70.0 / 24 and 192.168.21.0 / 24. However it does't work.
    Inter VLAN communication are ok.
    Any Suggest ?
    .... Switch Conf. attach
    Tks.
    John Nanez E.

    Try putting on the SVI for vlan 11 (interface vlan 11) . don't think you can put it on a individual interface and have it work . Also they way you wrote it you'll have to put it as out on the vlan because you are permitting a address from another network to the vlan 11 address space thus it would have to block the traffic "out" to the devices on vlan 11 .

  • ACL on inter-VLAN router

    I am trying to setup a home network for myslef for practice basically that has two VLANs. One will be a secure VLAN with servers, domain access, etc. The other will just be an internet access VLAN.
    I have an internet gateway, but only one, that needs to be shared by both VLANs. Currently I have everything setup fine so that I can access the internet from either VLAN. The only problem is I think by opening a link between them to share the internet connection I am also opening s ecurity risk. I need an ACL to allow only internet traffic from the seocnd VLAN to be passed thorugh.
    My problem has been that anything I have tried either allows nothing to pass, or everything to pass. I was trying to do just a permit from any host to any host on http, and deny everything else.
    Thanks for any help.

    I have another question for you:
    you said that you need to access server on 192.168.1.0/24 , from which subnet? are you connected on the same vlan? or coming from the internet?
    somewhere in this network you are doing NAT right? so to get in , you would need a static NAT or outside NAT.
    So, if you are coming from internet I think you'd need to set and ACL to permit only the IP you have.
    But I guess you're inside vlan 1 192.168.1.0/24, so basically you need to restric traffic from 192.168.2.0/24 to reach 192.168.1.0/24.
    You need an ACL on the fa0.2 blocking traffic like this:
    ip access-list extended sec-traffic-out
    deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit any any
    int fa0.2
    ip access-group sec-traffic-out in
    I guess what could be confusing you is that your INTERNET gateway is on 192.168.1.0/24, but outgoing internet traffic will have layer3 destination addresses on a different subnet , like 200.0.0.0/8, so, it wont be blocked by the ACL.
    HTH,
    if it does, please rate this post,
    Vlad
    BTW, I think you dont need :
    ip default-gateway, as its used when you dont have routing configured (no ip routing).
    also ip defaul-network have specific use, I'm not sure you'd need it here too.

  • Cisco ACL for Wireless VLAN's

    Hi all and Merry Christmas to you.
    So I have been off work for a few days now playing in my lab, I have configured a number of VLAN’s to separate Data, Voice, Servers, Games Consoles and Guest on my Cisco 1142, I know it may be a bit of an over kill but it’s just me doing a bit of lab work and learning
    What I’m after doing now is setting up ACL’s to deny the Guest and Games Console VLAN from accessing my LAN and I’m not sure where to start, I want to consoles only to be able to connect to PSN and Xbox networks as well as my DHCP server, and the guest network to connect to the web but again not my LAN, this is for users who come round with phones and tablets.
    My lab look like this:-
    Broadband > Cisco RVS4000 (soon to be ASA) > WS-C3560 > 1142 AP.
    My DHCP server is on VLAN 6 with an IP address of 192.168.6.241
    VLANs are: -
    interface Vlan5
    description *****DATA VLAN*****
    ip address 192.168.5.253 255.255.255.240
    ip helper-address 192.168.6.241
    interface Vlan6
    description *****Servers*****
    ip address 192.168.6.254 255.255.255.240
    interface Vlan7
    description *****VOICE*****
    ip address 192.168.7.254 255.255.255.240
    ip helper-address 192.168.6.241
    interface Vlan8
    description *****VOICE WIFI*****
    ip address 192.168.8.254 255.255.255.240
    ip helper-address 192.168.6.241
    interface Vlan9
    description *****WIFI CONSOLES*****
    ip address 192.168.9.254 255.255.255.240
    ip helper-address 192.168.6.241
    interface Vlan10
    description *****WiFi Home*****
    ip address 192.168.10.254 255.255.255.240
    ip helper-address 192.168.6.241
    interface Vlan11
    description *****WiFi Guest*****
    ip address 192.168.11.254 255.255.255.240
    ip helper-address 192.168.6.241
    interface Vlan12
    description *****Management*****
    ip address 192.168.12.254 255.255.255.240
    The AP config looks like:
    dot11 ssid Console
       vlan 9
       authentication open
       authentication key-management wpa
       mbssid guest-mode
       wpa-psk ascii 7 094F4107170A051103
    dot11 ssid Home
       vlan 10
       authentication open eap eap_methods
       authentication network-eap eap_methods
       guest-mode
       mbssid guest-mode
    interface Dot11Radio0.9
    encapsulation dot1Q 9
    ip helper-address 192.168.6.241
    no ip route-cache
    bridge-group 9
    bridge-group 9 subscriber-loop-control
    bridge-group 9 block-unknown-source
    no bridge-group 9 source-learning
    no bridge-group 9 unicast-flooding
    bridge-group 9 spanning-disabled
    interface Dot11Radio0.10
    encapsulation dot1Q 10
    ip helper-address 192.168.6.241
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    bridge-group 10 spanning-disabled
    interface Dot11Radio0.12
    encapsulation dot1Q 12 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    At the minutes I’m just trying to stop Console getting to the Home network before I move onto the rest
    I have not got a clue where to start or where to place the ACL’s, would they be on the Switch or the AP itself?
    Hope you can help me out.
    Happy new year
    Martyn

    Here is a suport document in regards to autonomous ACL:
    https://supportforums.cisco.com/docs/DOC-13768
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • ACL's and VLan interfaces

    I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.

    A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
    The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
    The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces.

  • SFE2000 & ACL to stop VLAN traffic

    Hi All,
    I have setup a new SFE2000 switch to work in Layer 3 mode using the IP address 192.168.100.254 on VLAN 1
    Additional VLAN's are:
    VLAN2     192.168.102.x     To be used for guest wireless access
    VLAN3     192.168.103.x
    VLAN4     192.168.104.x
    I would like VLAN1, 2, 3 and 4 to be able to communicate with each other while VLAN2 (Guest) needs to be restricted from everything except web access and dhcp assignment from our server.
    I have been playing with various ACL's in an effort to accomplish this but so far I have drawn a blank in getting this working.
    Can any one draw any light to a managed switch newbie
    Thanks in advance
    James

    I was able to get this working with ACLs and setting a static route from the router (in my case Sonicwall TZ 180) back to the SG300 network. I have enclosed screen shots of the config from the GUI. You need to bind the ACL to whatever
    ports you want to filter the guest traffic either where they would connect a hard wired connection or where you would connect your Wireless AP. The ACL I have created allows VLAN 13 to get a DHCP address and communicate through DNS but nothing else. 192.168.9.254 is the Sonicwall router which I wanted on a different VLAN.
    Hope this helps others with their setup.

  • Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

    Hi,
    I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
    I have 3 web servers behind a router.
    Public interface: 3 public ip adresses
    Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
    I would to know the best way to redirect http traffic to the right server.
    My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
    So if you have some advise for this case, it would be really appreciated.
    Thank you.
    Chris.

    Hello Christophe,
    As I understand you want 1st that ; 
    if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
    That means, you need static mapping between your public @ip address and your local ip address. 
    for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
    that is the config for the Web Server1. You can do the same with the remaining servers:
    interface fa0/0.1 
    ip nat inside
    interface serial0/0
     ip nat outside
    ip nat inside source static 192.168.1.10 172.1.2.3 
    static mapping from local to public. 
    I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
    ip route 171.1.2.3 interface serial0/0 
    or 
    ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
    After these step for each web server, you will get the mapping. 
    Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
    like
    ip access-list extended ACL_WebServer1
    permit ip any 192.168.1.10 eq www
    deny ip any 192.168.1.10
    exit
    interface fa0/0.1
     ip acess-group ACL_WebServer1 in
    no shut
    exit
    That is the first step. 
    Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
    I am not sure that it is possible using cisco router with (ZBF + Regex).
    Check the first step and let us know ! 
    Please rate and mark as correct if it is the case. 
    Regards,

  • ACL with Inter Vlan

    We are used Cisco 3750 Layer 3 Switch and linksys switch at Layer 2 level.
    We are used total 10 VLAN,  We want block all inter-vlan communication,  So no body can access inter vlan .
    All vlan can access server vlan
    Thanks
    Dinesh Chavan

    Dinesh Chavan
    Based on what you have told us one solution would be to configure an access list for each of the SVIs on your 3750 switch and apply it on the inbound direction for the interface. In the access list you would permit packets with source address in the vlan of that interface a destination of the server vlan. You would deny all other traffic. This would allow each vlan to communicate with the server vlan but not with any other vlan.
    HTH
    Rick

  • ACL applied to Vlan interfaces

    I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
    It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
    I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
    Is there some method to quickly know when these ACL should be applied in one direction or another?
    Thanks for your time.

    It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.

  • I need to create ACL to control access to 17 vlans

    Hi,
    we have created vlans based on departments, each department has its own vlan. as a result we have close to 17 vlans and this is in one site. we have 5 sites where all these vlans exist but with different subnets. my question has two parts:
    1> I need ideas on what to block and what to permit? for example block all vlans from accessing all vlans except the server vlan, block all vlans from accessing storage vlan, allow internet traffic. permit the management vlan to access all vlans in one direction.
    2>now i have to write access lists for each vlan, is there a way to ease the burden of creating 17*5  ACLs? for example create a generic acl and another one specific, but can I apply two access lists to one vlan at the same time.

    Firs of all, 17 vlans is too much.. I don't think ther's real need so such a segregation. Are those all 17 departments should have their traffic separated from each other? Yeah, there's is might be couple departments with some highly secure traffic, but others probably can go in one VLAN. If no, then having 17 vlans with ACL on each, it's gonna be a real pain managing them.. But if it's already done, i may suggest to use some ACLs to protect really valuable resources from those, who shouldn't have access to them. For example you defenitely should have ACL on your server's VLAN and Storage VLAN. You can apply ACLs on this VLANs in outbound direction and be really granular in what you permit there and what is prohibited. Second, you can apply the same for your management VLAN, cause it's the other one with great value. But do you really have to restrict access from department A to department B if they kinda "have no secrets from each other"?. So my point is that your decision should be based on what you're really going to protect but not based on the fact that you're trying separate everything from everything just for fun). Cause again, if you separate everything with highly granular rules (i.e. host 1 from dep A should be allowed to host 1 from dep B but not host 2 from dep B, etc for other departments)  this all ruleset will be unmanagable. Things should be kept as simple as possible.

  • ACL on Vlan interface

    I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .

    This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
    On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
    Hope this helps,

  • Interface vlan - ACL - pinging issues.

    I'm trying to understand why an ACL which is applied to an interface vlan is affecting the traffic for a different interface vlan.
    Both vlans are configured on the same device and there's a trunk connecting the "access" switch to the "distribution" switch.
    so, what we have is:
    UD-1 UD-1B
    UA
    Int vlan are configured in both UDs and the vlan is allowed in the trunk that connects the UD to the UA.
    There's an ACL blocking traffic to the int vlan 225 ip that is configured in the UA, but there's no ACL on the vlan 185 (the same IP that Im trying to ping).
    So , why is this happening?
    configs:
    UD-1A:
    interface Vlan185
    ip address 10.8.185.3 255.255.255.0
    interface Vlan225
    ip address 10.18.225.3 255.255.255.0
    ip access-group ud1 in
    int gi1/1
    interface GigabitEthernet1/1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 225
    switchport trunk allowed vlan 185,225
    switchport mode trunk
    UD-1B
    interface Vlan185
    ip address 10.8.185.4 255.255.255.0
    interface Vlan225
    ip address 10.18.225.4 255.255.255.0
    ip access-group al_rpf_sre_ud1_pro in
    interface GigabitEthernet4/4
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 225
    switchport trunk allowed vlan 185,225
    switchport mode trunk
    interface Vlan185
    ip address 10.8.185.7 255.255.255.0
    ip access-group ro in
    interface GigabitEthernet1/1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 225
    switchport trunk allowed vlan 185,225
    switchport mode trunk
    interface GigabitEthernet1/2
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 225
    switchport trunk allowed vlan 185,225
    switchport mode trunk
    so, when I ping 10.8.185.7
    I get:
    GMT-3: ICMP: dst (10.8.185.7) administratively prohibited unreachable rcv from 10.8.185.4
    %SEC-6-IPACCESSLOGDP: list ud1 denied icmp 10.8.185.7 (GigabitEthernet1/1) -> 10.18.232.58 (0/0), 3 packets
    anybody?

    Hello Paresh,
    thanks for replying.
    But, actually I dont think this is what happening.
    Because 10.18.232.58 comes from an uplink - core router, which enters from a different interface.
    Let me give you the configs:
    uplinks:
    interface GigabitEthernet3/1
    no switchport
    ip address 10.18.192.26 255.255.255.252
    And the core are doing load-balancing to reach the UA.
    So, icmp packets are arriving from these 2 interfaces, the uplink gi3/1 (router port) and from the link that connects the UA switch.
    so, pinging from the BC you have 2 ways to get to the UA, from UD1 and UD1-B, when it reaches UD1-B it goes to the vlan (ie. goes down to the UA and up to UD1A).
    Not sure if this is helping.
    If you need any other info let me know.
    this is killing me.

  • ACE VIP & ACL

    Hi,
    The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
    We have to restrict one of VIP traffic to 6 node only from public side.
    How can i restrict the traffic with ACL in the  L3 class map.
    different  policies use the   servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
    Unfortunetly, only one entry are permitted in Class L3 map !
    However, this one entry is  the virtual-address row.
    What is the  smart solution in this case. ( VIP & ACL  together )
    Regards,

    Hi,
    I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
    Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
    Here is how it looks like:
    class-map type http loadbalance match-any Hosts
      10 match source-address 192.168.10.20 255.255.255.255
      11 match source-address 192.168.10.21 255.255.255.255
      12 match source-address 192.168.10.22 255.255.255.255
    class-map match-any Internet
      2 match virtual-address 192.168.20.15 tcp eq www
    policy-map type loadbalance first-match Internet-FMP
      class Hosts
        serverfarm Backend
    policy-map multi-match CLIENT-VIPS
      class Internet
        loadbalance vip inservice
        loadbalance policy Internet-FMP
        loadbalance vip icmp-reply active
    Hope this helps!
    Pablo

  • Acl issue in L3 Switch SVI

    HI
    I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
    I have a L3 switch with 3 vlans
    Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
    Vlan 10 - Server-Vlan - 172.16.10.1/24
    Vlan 11 - User-Vlan - 172.16.11.1/24
    I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
    I want all in my network to access any thing outside the network.
    i tried to configure acl as below-
    access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
    int vlan 1
    ip add 172.16.1.1 255.255.255.0
    ip access-group 101 in
    When i am trying from outisde (172.16.100.1) -
    Ping 172.16.10.1 - Good (expected)
    Ping 172.16.11.1 - NOT (expected)
    When I am trying to ping from inside Server-Vlan (172.16.10.1)
    Ping 172.16.100.1 - Good
    The problem -
    When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
    what is wrong happening here in this scenario?
    regards
    Sunny

    Hi Jon,
    I was working on the ACL for the above issue. i have found the below thigs-
    int vlan 1
    des Routing vlan
    ip 172.16.1.1 255.255.255.0
    ip access-group 110 in
    int vlan 10
    des server vlan
    ip 172.16.10.1 255.255.255.0
    int vlan 11
    des Users
    ip add 172.16.11.1 255.255.255.0
    ip access-group 100 in
    acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
    ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
    ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
    ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
    ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
    And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
    access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
    access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
    access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
    access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
    what i understood,
    for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
    for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
    But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
    If i call inbound means the traffic coming in to that vlan initerface from Outside
    If i call outbound means the traffic that going out through that interface.
    so i ddint call any acl in outbound direction as of now.
    Dear Jon, thanks for taking time to describing the scenario in detail before.
    please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
    Thanks and Regards
    Suuny

  • 300-28 Switches ACL Problem (Lack of Hardware Error)

    Hi!
    I am using SG300-28 switches in Layer 3 mode. I have 15 Vlans created and routing. I have 3 ACLS applied on the 5 VLANs.
    I am facing problem while adding another ACL in the VLAN interface error is (Lack of Hardware resources).
    I don't know what is the problem, I am worried about it. Please help in this.
    I have also updated my switch to latest firmware e.g.1.4.0.88

    hi
    seems you've reached maximum number of ACL entries for switch (512). Please:
    how many ACLs you have configured in total?
    how many entries have each applied access list on your switch?
    you can also check available resources with command "show system resources tcam"

Maybe you are looking for