10-13-2020 11:39 AM
Hi all,
I need some help w.r.t setting up VLAN maps/ACL.
The following scenario is what I need:
Three VLANs - VLAN10, VLAN20, VLAN30
VLAN10 - Should be able to access all packets on VLAN20 and VLAN 30
VLAN20 - Should only be able to access VLAN10
VLAN30 - Should be able to access both VLAN10 and VLAN20
I am using a catalyst 2960 switch.
Thank you for your consideration.
10-13-2020 12:51 PM
Are you looking Layer 2 based or Layer 3 based ACL ?
look below guide : build one as per your understanding, if still has issue post the ACL here we can tweak for you.
10-14-2020 05:43 AM - edited 10-14-2020 05:44 AM
Hi Balaji,
I need to make Layer 2 based ACL. I want to make it so that VLAN20 can not send/receive packets from VLAN30 but only be able to send and receive packets to VLAN10
Regards
SB
10-14-2020 03:05 PM
Hello
Inter-vlan communication is L3 so it cannot be a l2 acl.
You have options:
1) routed acl on the SVI's
2) private vlans
The following example is RACL (option 1) to allow Vl30 tcp communication to Vl20 but not allow Vl20 tcp communication to Vl30,
unfortunately with this option as UDP is connectionless is wont negate UDP unless it denied entirely
ip access extended VL20
permit tcp 10.1.20.0 0.0.0.255 any established
deny tcp 10.1.20.0 0.0.0.255 any
permit ip any any
int vlan 30
ip access-group VL20 OUT
10-18-2020 08:09 PM
Thank you so much for the information Paul. Sorry for the late response. I could not get back to this project in time.
So I tried your example and now I am able to communicate VL20 from both VL10 and V30.
The following are the issues now:
1. VL10 is not able to communicate with VL30, I need VL10 to be able to communicate with VL30.
2. VL20 is not able to communicate with VL10, I need VL20 to be able to communicate with only VL10.
3. VL30 is not able to communicate with VL10, I need VL30 to be able to communicate with VL10.
IP address is only set for VL10 as 128.121.2.110 (255.254.0.0)
VL20 and VL30 no IPV4 is set as it doesn't allow me to set IP in the same range as VL10 but all the devices connected to all the VLANs are in the same IPV4 range.
This whole setup doesn't have access to internet, it is only a machine network.
Any help is much appreciated.
Thanks!
SB
10-14-2020 04:08 AM
Implementing inter-VLAN routing at the L3 switch level is not recommended since it is stateless. This means you would need to create a rule for the source to destination traffic on the source VLAN SVI, and another for the return traffic on the destination VLAN SVI. If you have a firewall, and you can move the inter-VLAN routing to it, it would be a better option I think. However, if that is not an option, then to create the ACLs on the switch, you just need to use the IOS syntax (wildcard mask for the subnet mask definition) and apply them to the SVIs, possibly in inbound direction.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide