https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5261376#M281004 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/236892">@rsthakur</a>&nbsp;</P> <P>The only part you need is this. As ACL have deny any any at the end, only traffic for vlan 16 and 30 is allowed.</P> <P>&nbsp;<STRONG>ip access-list extended VLAN311_ACCESS<BR />permit ip 172.28.40.0 0.0.7.255 172.28.23.0 0.0.7.255<BR />permit ip 172.28.152.0 0.0.7.255 172.28.23.0 0.0.7.255</STRONG></P> <P>You can also apply one ACL at vlan 16 and 30</P> <P><STRONG>ip access-list extended VLAN16_ACCESS<BR />deny ip any 172.23.0.0 0.0.7.255<BR />permit IP any any</STRONG></P> <P>&nbsp;</P> <P><STRONG>interface vlan 16<BR />ip access-group VLAN16_ACCESS out</STRONG></P> Mon, 17 Feb 2025 12:07:33 GMT Flavio Miranda 2025-02-17T12:07:33Z https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5261366#M281002 <P>You have a <STRONG>6805 switch</STRONG> with multiple VLANs and want to create an <STRONG>ACL</STRONG> to restrict access as follows:</P><UL><LI><STRONG>Only VLAN 16 (172.28.40.0/21) and VLAN 30 (172.28.152.0/21) should be allowed to access VLAN 311 (172.23.0.0/21).</STRONG></LI><LI><STRONG>All other VLAN traffic to VLAN 311 should be denied.&nbsp; &nbsp; &nbsp;</STRONG></LI></UL><P><STRONG>i have configured the ACL</STRONG></P><P><STRONG>ip access-list extended VLAN311_ACCESS<BR />permit ip 172.28.40.0 0.0.7.255 172.28.23.0 0.0.7.255<BR />permit ip 172.28.152.0 0.0.7.255 172.28.23.0 0.0.7.255<BR />deny ip any 172.28.23.0 0.0.7.255<BR />permit ip any any</STRONG></P><P><STRONG>interface vlan 311<BR />ip access-group VLAN311_ACCESS in</STRONG></P><P><STRONG>but this is not working.</STRONG></P><P><STRONG>Any Help.</STRONG></P> Mon, 17 Feb 2025 11:48:10 GMT https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5261366#M281002 rsthakur 2025-02-17T11:48:10Z https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5261376#M281004 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/236892">@rsthakur</a>&nbsp;</P> <P>The only part you need is this. As ACL have deny any any at the end, only traffic for vlan 16 and 30 is allowed.</P> <P>&nbsp;<STRONG>ip access-list extended VLAN311_ACCESS<BR />permit ip 172.28.40.0 0.0.7.255 172.28.23.0 0.0.7.255<BR />permit ip 172.28.152.0 0.0.7.255 172.28.23.0 0.0.7.255</STRONG></P> <P>You can also apply one ACL at vlan 16 and 30</P> <P><STRONG>ip access-list extended VLAN16_ACCESS<BR />deny ip any 172.23.0.0 0.0.7.255<BR />permit IP any any</STRONG></P> <P>&nbsp;</P> <P><STRONG>interface vlan 16<BR />ip access-group VLAN16_ACCESS out</STRONG></P> Mon, 17 Feb 2025 12:07:33 GMT https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5261376#M281004 Flavio Miranda 2025-02-17T12:07:33Z https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5262825#M281083 <UL><LI><STRONG>VLAN 30 (172.28.152.0/21)&nbsp; should be allowed to access VLAN 311 (172.23.0.0/21).</STRONG></LI><LI><STRONG>All other VLAN traffic to VLAN 311 should be denied.&nbsp;</STRONG></LI></UL><P><STRONG>Now, I have applied the command below.</STRONG></P><P><STRONG>ip access-list extended Camera<BR />permit ip 172.28.152.0 0.0.7.255 172.23.0.0 0.0.7.255<BR />deny ip any 172.23.0.0 0.0.7.255<BR />deny ip any any<BR /></STRONG></P><P><STRONG>put the Above ACL on VLAN 311</STRONG></P><P><STRONG>interface Vlan311<BR />description Extra Vlan<BR />ip address 172.23.7.254 255.255.248.0<BR />ip access-group Camera in<BR /></STRONG></P><P><STRONG>Then make one more ACL</STRONG></P><P><STRONG>ip access-list extended VLAN30_Camera<BR />deny ip any 172.23.0.0 0.0.7.255<BR />permit ip any any<BR /></STRONG></P><P><STRONG>and this one put on Vlan 30</STRONG></P><P><STRONG>interface Vlan30<BR />description CC Lab &amp; CC Management VLAN<BR />ip address 172.28.159.254 255.255.248.0<BR />ip access-group VLAN30_Camera out<BR /></STRONG></P><P><STRONG>But no luck, Its not working</STRONG></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 20 Feb 2025 04:32:45 GMT https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5262825#M281083 rsthakur 2025-02-20T04:32:45Z https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5262952#M281092 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/236892">@rsthakur</a>&nbsp;do you have reachability to those subnets from the switch ? and check the port status does it go in to err-disable state ?</P><P>&nbsp;</P> Thu, 20 Feb 2025 09:51:58 GMT https://community.cisco.com/t5/wireless/allow-specific-vlan-traffic/m-p/5262952#M281092 srimal99 2025-02-20T09:51:58Z