Applying an ACL on a L3 VLAN SVI

If you want to only allow a certain vlan to access another vlan (and both L3 vlan SVI’s are hosted on the same switch), you have a couple options:

Scenario:

We want to only allow Vlan 100 (10.0.100.0) to access Vlan 120 (10.0.120.0).  All other access should be denied.

Solution #1 (Standard ACL):

int vlan 120
ip address 10.0.120.1 255.255.255.0
ip access-group 1 out

access-list 1 permit ip 10.0.100.0 0.0.0.255

This will only allow Vlan 100 access to Vlan 120, as there is an implicit deny statement at the end of every access-list.  Host traffic from Vlan 100 will leave the Vlan, hit the Vlan 120 SVI and be permitted access.  All other Vlan traffic will hit the Vlan 120 SVI and be denied on transit.

Solution #2 (Extended ACL):

int vlan 130
ip address 10.0.130.1 255.255.255.0
ip access-group 100 in

access-list 100 deny ip any 10.0.120.0 0.0.0.255
access-list 100 permit ip any any

This solution will need to applied on any network you do not want to access Vlan 120, as it uses an extended access list to stop the source traffic before it leaves the Vlan 130 network (if the destination is Vlan 120).

Solution #3 (Extended ACL):

int vlan 120
ip address 10.0.120.1 255.255.255.0
ip access-group 101 in

access-list 101 permit ip any 10.0.100.0 0.0.0.255

This will allow all traffic into Vlan 120, but when the return traffic passes through the VLAN SVI, the ACL will be applied.  In this case, only traffic destined for 10.0.100.0/24 network will be allowed to leave Vlan 120 (remember the implicit deny statement at the end of the ACL).

Basic ACL info can be found here: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s