Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

5304XL VLAN and Access List Help

SOLVED
Go to solution
Chip Barnett
Occasional Contributor

5304XL VLAN and Access List Help

I have 18 VLANS that span 3 core switches and several smaller switches. The 3 core switches are 5304XL. The 3 core switches all have IP Routing enabled. There are only IP addresses on the VLAN's in the main 5304 if this matters... These 3 switches also will have VLAN 90 which will be used for wireless access points for public use. I need to be able to block all traffic to the other VLANs except for Internet traffic.The Internet router(192.168.1.20) is in VLAN 1.

Can someone verify if this would work?
On the 3 core switches I would make this configuration:

VLAN 90
ip access-group 101

access-list 101 permit tcp 10.90.0.0 0.0.255.255 host 192.168.1.20 eq 80

Am I anywhere close to getting this right?
Thanks for the assistance.
2 REPLIES
Ron Kinner
Honored Contributor
Solution

Re: 5304XL VLAN and Access List Help

Not too close yet. Your access list will permit people to surf to the router but not to the internet. Also you have to specify a direction in your ip access-group 101 statement (in or out)

Let's say you make this an IN list and the VLAN90 is the Wireless VLAN where all hosts will have an IP address on the 10.90.0.0 mask 255.255.0.0.

I'm more a router guy than a switch guy so I'm not really sure if the access list applies to switched traffic. I assume it doesn't. I also assume that your other VLANS all have 10.x.0.0 subnets.

access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 8080

The first line blocks all ip traffic to all 10.x.0.0 subnets. The assumption here is that your other VLANS are all 10.x.0.0 so this keeps the wireless away from them. The Internet does not use the 10 net so this does not bother that traffic. IF you have other IP subnets you don't want them to get to then add deny statements at the beginning. For instance, they don't need to talk to your router so you could add
access-list 101 deny ip any host 192.168.1.20
at the beginning of the list or broaden it to the whole 192.168.1.0 or even 192.168.0.0.

Don't think it will hamper 10.90.0.0 traffic from talking to other 10.90.0.0 traffic since that should be switched. If you find they can't talk to each other then start the list with
access-list permit ip 10.90.0.0 0.0.255.255 10.90.0.0 0.0.255.255

The second line allows any traffic to port 80 to pass to the Internet (we've already blocked all traffic to the other VLANS by blocking the 10 net)
The last line is the same but allows them to also do https connections. The implicit deny ip any any blocks all other traffic.

You may want to add lines at the beginning of the list to allow things like
ICMP any any echo-reply
or
tcp any any established
(let's someone on the other VLANS establish a connection to a host on the wireless for troubleshooting or monitoring.)

Then you apply it with:

vlan 90 access-group 101 in

Think that should do it.

Ron







Chip Barnett
Occasional Contributor

Re: 5304XL VLAN and Access List Help

Thanks Ron, I won't be able to try it until next week but it makes since to me now.