Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3821
Views
5
Helpful
4
Replies

Intervlan Routing with access-list

robinandjiang
Level 1
Level 1

‎10-12-2018 02:44 PM

i have a case here, i have two vlans, one is vlan 10, 192.168.10.0/24. another is vlan 100, 192.168.100.0/24.

i design to block vlan 10 to talk to vlan 100 but allow vlan 100 to reach vlan 10.

how can i achieve this?

i tried access list, but didn't work.

 

ip access-list extended Block_Vlan10

deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip any any

 

int vlan 10

ip access-group Block_Vlan10 in

 

the problem with this access list is the return traffic was also blocked when vlan 100 initiated the  connection.

any idea?

 

thanks.

 

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎10-12-2018 02:50 PM - edited ‎10-12-2018 02:50 PM

Look at below thread to solve your problem.

 

https://community.cisco.com/t5/switching/access-list-on-inter-vlan-routing/td-p/2083316

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Alex Pfeil
Level 7
Level 7

‎10-12-2018 03:20 PM

Check to see if your equipment supports reflexive access lists. Here is an example. Please let us know if this does not resolve the issue.

 

https://community.cisco.com/t5/security-documents/reflexive-access-list-on-ios/ta-p/3130741

 

please mark helpful posts.

0 Helpful

coolbreeze
Level 1
Level 1

‎10-15-2018 03:14 PM

Hi there,

What kind of traffic is being initiated from vlan 100 to vlan 10?  What protocols? (IP, ICMP, UDP, TCP?)  And any specific traffic types involved? (HTTP, TFTP, FTP, DHCP, SSH, Telnet, etc?)

 

Are you wanting end result to completely allow all traffic from vlan 100 to vlan 10, but deny all IP traffic (except return traffic from an initiated vlan 100 connection) from vlan 10 to vlan 100?

 

Thanks!

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-16-2018 03:15 PM

"i design to block vlan 10 to talk to vlan 100 but allow vlan 100 to reach vlan 10.

how can i achieve this?"

Your ACL should accomplish that, however, when you wrote:

"the problem with this access list is the return traffic was also blocked when vlan 100 initiated the connection."

You've expanded your original requirement, as you want to also allow for VLAN 100's return traffic. You're looking for a FW type solution, i.e. something that maintains state. On a router, if you have an IOS with FW features, you can do it using that. Or next best might be using a reflex ACL, as suggested by Alex, but it needs "mirror" return traffic. Another solution, at least for TCP based traffic, is checking for the established bit being set (this is mentioned in one of the other poster's referenced link too. Lastly, dynamic NAT might be used.
0 Helpful
Customers Also Viewed These Support Documents