01-24-2019 01:59 PM
i have 5 VLANs, vlan 1, vlan 20, vlan 30, vlan 40, vlan 50.
for some reasons that only vlan 20 is allowed to visit vlan 50, and deny other vlans to reach it.
int vlan 1
ip add 192.168.1.1 255.255.255.0
int vlan 20
ip add 192.168.20.1 255.255.255.0
int vlan 30
ip add 192.168.30.1 255.255.255.0
int vlan 40
ip add 192.168.40.1 255.255.255.0
int vlan 50
ip add 192.168.50.1 255.255.255.0
ip access-list extended Block_Vlan
permit ip 192.168.20.0 0.0.0.255 any
deny ip any any
int vlan 50
ip access-group Block_Vlan out
but it doesn't work, any ideas.
thanks
01-24-2019 02:58 PM
The ACL works only for traffic going through the switch, actually it works.
i am not able to reach the host which is sitting in the vlan 50 from other vlans except form vlan 20.
but i still can ping the gateway 192.168.50.1
01-24-2019 03:42 PM - edited 01-24-2019 03:43 PM
@robinandjiang wrote:
ip access-list extended Block_Vlan
permit ip 192.168.20.0 0.0.0.255 any
deny ip any any
In this ACL, the router will first check traffic against the first permit statement "permit ip 192.168.20.0 0.0.0.255 any". (If the source IP is within the ip range 192.168.20.0-192.168.20.255, then allow the traffic and ignore all statements afterwards. If it is not in the 192.168.20.0-192.168.20.255 range, then go to the next statement.)
The next statement is "deny ip any any". (Block all traffic that makes it to this point.)
There are a few things you can do to tweak this, depending on your needs. If you want to permit more vlans, you can add them like in this example:
ip access-list extended Block_Vlan
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.30.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
deny ip any any
Or if you want to block specific vlans and permit the rest, you can do it this way:
ip access-list extended Block_Vlan
deny ip 192.168.20.0 0.0.0.255 any
permit ip any any
This would block vlan 20 and allow any other traffic.
01-24-2019 08:13 PM
I'm guessing that your are using icmp (ping) to test the connectivity between the VLANs.
Your ACL is blocking the traffic going in to VLAN 50 from other VLANs (except VLAN20)
Example - Packet from VLAN 30 (192.168.30.5) to VLAN 50 (192.168.50.5)
At the time the ACL is applied:
Source is 192.168.30.5 Destination is 192.168.50.5 = Result - DROP
01-30-2019 07:41 AM
You actually have an Outbound ACL configured, so it is not that the other VLANs can not talk to VLAN 50, its VLAN 50 can only talk to VLAN 20. What are you trying to accomplish?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide