I have local users and printers all on the same subnet. I need to create an ACL that will deny the local users from being able to HTTP/HTTPS into the printers. Any ideas?
Hello lqdlizard
Regular ACLs can only be applied at a routed interface or an SVI. These cannot be used to filter traffic that exists within the same subnet or VLAN. In order to achieve what you need, you can use a VLAN access list or a VACL.
VACLs can be configured to filter either based on layer 3 (IP) or layer 2 (MAC) traffic.
I hope this has been helpful!
Laz
Thank you. I still want the users to be able to print, just not web into. Can the VACL filter 80 and 443 only traffic.
Hello lqdlizard
Yes, it is possible to filter based on TCP port. You can do so by referencing a normal ACL within your vlan access-map commands of the VACL. An example of this can be seen below:
First we configure the ACL that will match all traffic with a destination port of 80 (http).
SW1(config)#ip access-list extended Block_Web
SW1(config-ext-nacl)#permit tcp any any eq 80
SW1(config-ext-nacl)#exit
Next we create two statements in a VACL, the first is set to drop all web traffic that matches the above ACL:
SW1(config)#vlan access-map VACL_ Block_Web
SW1(config-access-map)#action drop
SW1(config-access-map)#match ip address Block_Web
The second statement will permit all other traffic (remember the explicit deny all!)
SW1(config-access-map)#vlan access-map VACL_ Block_Web
SW1(config-access-map)#action forward
SW1(config-access-map)#exit
I hope this has been helpful!
Laz