Re: Help needed with creating VLAN Map

SameerBhaskarla64133 · ‎10-13-2020

Hi all,

I need some help w.r.t setting up VLAN maps/ACL.

The following scenario is what I need:

Three VLANs - VLAN10, VLAN20, VLAN30

VLAN10 - Should be able to access all packets on VLAN20 and VLAN 30

VLAN20 - Should only be able to access VLAN10

VLAN30 - Should be able to access both VLAN10 and VLAN20

I am using a catalyst 2960 switch.

Thank you for your consideration.

balaji.bandi · ‎10-13-2020

Are you looking Layer 2 based or Layer 3 based ACL ?

look below guide : build one as per your understanding, if still has issue post the ACL here we can tweak for you.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SameerBhaskarla64133 · ‎10-14-2020

Hi Balaji,

I need to make Layer 2 based ACL. I want to make it so that VLAN20 can not send/receive packets from VLAN30 but only be able to send and receive packets to VLAN10

Regards

SB

paul driver · ‎10-14-2020

Hello

Inter-vlan communication is L3 so it cannot be a l2 acl.

You have options:
1) routed acl on the SVI's
2) private vlans

The following example is RACL (option 1) to allow Vl30 tcp communication to Vl20 but not allow Vl20 tcp communication to Vl30,

unfortunately with this option as UDP is connectionless is wont negate UDP unless it denied entirely

ip access extended VL20
permit tcp 10.1.20.0 0.0.0.255 any established
deny tcp 10.1.20.0 0.0.0.255 any
permit ip any any

int vlan 30
ip access-group VL20 OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

SameerBhaskarla64133 · ‎10-18-2020

Thank you so much for the information Paul. Sorry for the late response. I could not get back to this project in time.

So I tried your example and now I am able to communicate VL20 from both VL10 and V30.

The following are the issues now:

1. VL10 is not able to communicate with VL30, I need VL10 to be able to communicate with VL30.

2. VL20 is not able to communicate with VL10, I need VL20 to be able to communicate with only VL10.

3. VL30 is not able to communicate with VL10, I need VL30 to be able to communicate with VL10.

IP address is only set for VL10 as 128.121.2.110 (255.254.0.0)

VL20 and VL30 no IPV4 is set as it doesn't allow me to set IP in the same range as VL10 but all the devices connected to all the VLANs are in the same IPV4 range.

This whole setup doesn't have access to internet, it is only a machine network.

Any help is much appreciated.

Thanks!

SB

Aref Alsouqi · ‎10-14-2020

Implementing inter-VLAN routing at the L3 switch level is not recommended since it is stateless. This means you would need to create a rule for the source to destination traffic on the source VLAN SVI, and another for the return traffic on the destination VLAN SVI. If you have a firewall, and you can move the inter-VLAN routing to it, it would be a better option I think. However, if that is not an option, then to create the ACLs on the switch, you just need to use the IOS syntax (wildcard mask for the subnet mask definition) and apply them to the SVIs, possibly in inbound direction.