Restricting a VLAN to the internet only using ACL

[cross6]

I'm having a hard time figuring out how to do this, as my network has a few routers between the vlan and the net and ACL's just restrict access from an IP(s) and not to them?

 

[p0lar]

Originally posted by: cross6
I'm having a hard time figuring out how to do this, as my network has a few routers between the vlan and the net and ACL's just restrict access from an IP(s) and not to them?

Are you speaking about L3 filtering on a L2 interface or filtering on the VLAN routing interface?

If the latter, just use an extended ACL and define as you wish. Bear in mind that you're essentially trying to prevent access to other VLANs rather than allow access to the Internet (0/0), which should be controlled by a positive match on the destination VLAN/Router interfaces rather a negative match on the originating VLAN interface.

 

[jlazzaro]

Originally posted by: cross6
ACL's just restrict access from an IP(s) and not to them

eh?

just apply an ACL closest to the source denying the VLAN range from accessing the local segment and allow everything else (ie internet addresses). you may want to add permit statements before the deny to allow for network services (DHCP, DNS, etc)

 

[realEZE]

Yep, as jlazzaro suggests, this is quite common practice.

Just filter out all local VLANs at gateway, making sure to explicitly allow needed services.

 

[cross6]

ahhh guess I was thinking about it bass ackwards. So instead of trying to block it at the vlan int, I need to deny access at all the other segment interfaces. Got it.

 

[jlazzaro]

Originally posted by: cross6
ahhh guess I was thinking about it bass ackwards. So instead of trying to block it at the vlan int, I need to deny access at all the other segment interfaces. Got it.

not necessarily. where you apply the ACL would be largely dependant on your topology. however, you shouldnt need to apply it at every interface, just a single interface closest to the source that all the traffic you plan to block will be coming in/out of.

applying on acl on every segment interface would work, but what happens when you need to make a change? it would be an administrative PITA. you want to take the minimalistic approach...do the least amount possible while still accomplishing your goal.

if your using all L2 switches, you would want to block it at the first router hop (or gateway). because remember, in order to route between vlan's it has to go through the router first. that is unless you're running L3 switches...