Aruba & ProVision-based
1748265 Members
3882 Online
108760 Solutions
New Discussion

5406zl ACL Not Working When Applied to VLAN

 
Ill3st0n3
Occasional Advisor

5406zl ACL Not Working When Applied to VLAN

I have created a VLAN that I only want certain subnets or ranges of address to access:

 

ip access-list standard "CAMSEC"
   10 permit 10.10.10.0 0.0.0.255
   15 permit 10.82.20.0 0.0.0.255
   20 permit 10.90.0.0 0.0.255.255
   25 permit 10.86.0.0 0.0.255.255
   40 deny 0.0.0.0 255.255.255.255
   exit

 

I then applien this to the particular VLAN with the "ip access-group CAMSEC in" command, however traffic from any subnet within my network is still allowed. Do I need an extended access list, and if so how would I create and apply this to the VLAN?

4 REPLIES 4
LorenzoCastro
Frequent Advisor

Re: 5406zl ACL Not Working When Applied to VLAN

Looks like you have the ACL in the wrong direction.  In this current application you would be affecting traffic originating from the VLAN you are trying to protect or going "IN" to the VLAN interface from the VLAN itself.  If you remove it and apply it to the VLAN in an outbound direction you should most likely see your traffic start hitting the ACL.  With that said, it would be best to apply an ACL closer to the source if at at possible. 

Ill3st0n3
Occasional Advisor

Re: 5406zl ACL Not Working When Applied to VLAN

So by the looks of it the ACL would then not allow traffic out to any subnet other then those I specified?

paulgear
Esteemed Contributor

Re: 5406zl ACL Not Working When Applied to VLAN

Hi Ill3st0n3,

The trick with VLAN ACLs is that you need to view them from the perspective of the routing engine of the switch, not from the perspective of the VLAN, so incoming is traffic FROM that VLAN to other VLANs and outgoing is traffic TO that VLAN from other VLANs.

If you apply the ACL that you've specified in the outbound direction as Lorenzo suggested, the effect should be that only addresses permitted in your ACL will be allowed access to that VLAN. Traffic from that VLAN to other VLANs will be unaffected. (However replies from addresses outside the range you indicated would not be permitted due to the ACL, which may appear to the unknowing observer as a problem with traffic from that VLAN.)

Hope that helps.

Regards,
Paul
furtlegog
Contributor

Re: 5406zl ACL Not Working When Applied to VLAN

I have apllied an access list to a student vlan 4 which permits essential services but has the implicit deny at the end to deny anything esle.

 

I apply it be going inot vlan 4 and using access-group 1-1 ext in

 

when its applied traffic from my vlan 50 which is phones VLAN is blocked?

 

 

my understading was that because my access list was applied to the vlan 4 none of the other vlans would be affected?