Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Maybe RACL, maybe not. Need to restrict some traffic for training room.

 
Occasional Advisor

Maybe RACL, maybe not. Need to restrict some traffic for training room.

We have a training vlan of 10.3.4.0/24. I need it to have access to our DNS server and some other server and Internet access. Here is a "snippit" of what I have.

 

ip access-list extended "Training Lab"
10 permit tcp 10.3.4.0 255.255.255.0 192.168.xxx.77 255.255.255.255 eq 53
20 permit tcp 10.3.4.0 255.255.255.0 192.168.xxx.97 255.255.255.255 eq 53
30 permit udp 10.3.4.0 255.255.255.0 192.168.xxx.77 255.255.255.255 eq 68

...

200 deny ip 10.3.4.0 255.255.255.0 192.168.xxx.0 255.255.0.0 
210 deny ip 10.3.4.0 255.255.255.0 10.0.xxx.0 255.0.0.0

220 permit ip 10.3.4.0 255.255.255.0 0.0.0.0 0.0.0.0 

 

I then apply this to the vlan with address 10.3.4.0/24 and it shows as

 

ip access-list extended "Training Lab" vlan-in

 

The issue is when I apply this RACL I cannot access anything. The training network is coming through one switch where the vlan does not have an ip and the trunk to the next switch is tagged. The next switch is the core switch where the gateway IP of the vlan is assigned to the vlan. I have been applying the RACL to the vlan on the secondary and not the main switch? DO I need it on the main switch, the secondary switch, or both?

 

Thank you,

Eric

 

1 REPLY 1
Honored Contributor

Re: Maybe RACL, maybe not. Need to restrict some traffic for training room.

ACL applies where the routing happens.

If your "Core" switch is the switch performing IP Routing (VLANs have SVIs on this switch and IP Routing feature is enabled...and if clients use those SVIs...then your Core is the right switch where to apply your ACL).


I'm not an HPE Employee
Kudos and Accepted Solution banner