cancel
Showing results for 
Search instead for 
Did you mean: 

ACL Inter VLAN

 
it_ejvnior
Frequent Advisor

ACL Inter VLAN

Hi guys.

I'm trying to create an ACL to block the http access (the default gw of all vlans). So VLAN 1 cannot access the webpage of the VLAN 100 default GW for an example.

What I'm trying to do is to block the traffic that ingress the VLAN 1.

rule 0 deny tcp souce 192.168.11.0 0.0.0.255 destination 10.8.100.254 0 destination-port eq 80

interface vlan-interface 1 >> packet-filter <number> inbound

I'm a little bit confused with the traffic orientation when a SVI in involved.

Thanks in advance.

3 REPLIES
Vince-Whirlwind
Honored Contributor

Re: ACL Inter VLAN

Yes, the "direction" had me confused the first time, too.

If you want to filter traffic from VLAN1 (subnet1) to VLAN10 (subhnet10), then your rule should filter:
subnet1-->subnet10=deny
and then you apply it on the VLAN1 SVI "INbound".

it_ejvnior
Frequent Advisor

Re: ACL Inter VLAN

Hi.

I did the procedure as below:

Advanced ACL 3002, named BLOCK_HTTP_GW, 1 rule,
ACL's step is 5
rule 0 deny tcp source 192.168.11.0 0.0.0.255 destination 10.8.100.254 0 destination-port eq www

And applied on SVI VLAN1 interface, inbound.

Did not work. Do I need to block the IP protocol instead only tcp?

Thanks in advance.

Vince-Whirlwind
Honored Contributor

Re: ACL Inter VLAN

Do a simple access list that blocks everything first, so that you know that you are doing it right.

Then change it to something more specific.