05-07-2022 11:44 AM
Hi,
I want to restrict interval traffic on nexus 9k. I am little confused. Here is my scenario
Vlan2 Ip address 192.168.0.1/24
Vlan3 IP address 192.168.1.0/24
Vlan4 ip address 192.168.3.0/24
Vlan5 ip address 192.168.4.0/24
Requirement
servers in vlan2 should be able to communicate within vlan. Traffic from Vlan2,3,4 should not be able to communicate with with vlan1 and vice versa.
Can i configure it like this.
Vlan1
IP address 192.168.0.1/24
ip access-group Deny_all in
ip access list Deny_all
10 Permit ip 192.168.0.1 0.0.0.255
20 deny ip 192.168.0.0 0.0.255.255 192.168.0.1 0.0.0.255 eq any
30 permit ip any any
The idea here is within vlan all traffic should work any revers traffic from other ip address range other than 192.168.0.0/16 should also be allowed to Vlan1.
I know it little confusing and that's why i am posting it here for suggestion. Any help on this will be highly appreciated
regards,
Amit
05-07-2022 12:00 PM
""servers in vlan2 should be able to communicate within vlan"" that mean that VLAN 1 can connect to Server in VLAN 2??
05-08-2022 12:46 PM - edited 05-08-2022 12:46 PM
You don't need the first line because any traffic within the vlan will not go to the SVI ie. it is not routed.
There are a couple of issues with your second line, 192.168.0.1 0.0.0.255 does not make much sense, do you mean 192.168.1.0 0.0.0.255 ?
Also the direction you have applied the acl is wrong ie. an acl applied inbound is for traffic from hosts in that vlan and an acl applied outbound is for traffic going to hosts in that vlan.
So your acl should be applied outbound or you need to change the acl ie.
deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
Jon
05-10-2022 10:36 PM
Hi Jon,
The concern here is to restrict Vlan 1 traffic to other Vlan and other vlan to Vlan1. This be applicable to other Vlans as well.
Vlan2 shod not be able to communicate with other vlans and other vlans should not be able to communicate with Vlan2. I'll keep adding vlans as and when required.
Hope I am making sense.
Regards,
Amit
05-11-2022 12:12 AM
Reading your response to Paul yes you can use that same acl for all your L3 SVIs if that is the requirement, pretty much what I suggested above I just specified the source subnet whereas you have use any, achieves the same thing.
Jon
05-08-2022 06:38 PM - edited 05-08-2022 06:40 PM
Hello
vlan 1 & 2 have the same addressing?
To negate vlan 1 from communicating to vlan 2-5 then your routed access list needs to be amended a little.
Ip access extended Deny_all
no 10
no 20
no 30
10 deny ip any 192.168.2.0 0.0.0.255
20 deny ip any 192.168.3.0 0.0.0.255
30 deny ip any 192.168.4.0 0.0.0.255
40 deny ip any 192.168.5.0 0.0.0.255
99 permit ip any any
05-10-2022 11:48 PM
Hi Paul,
Vlan 1 & 2 will have different IP address
Thanks for your suggestion, Vlan 1 & 2 will have different IP address, The CIDR is 192.168.0.0/16 and subnet IP's are.
This not only for VLAN 1 & VLAN 2. The requirement is VLAN1 should not be able to talk to VLAN2 and vice versa, further the requirement is all VLAN's should be able to talk to servers within same VLAN, but should not be able to talk to other VLAN's
Vlan1 192.168.0.1/24
Vlan2 192.168.1.0/24
Vlan3 192.168.2.0/24
Vlan4 192.168.3.0/24
Vlan5 192.168.4.0/24
Your recommendation
Ip access extended Deny_all
no 10
no 20
no 30
10 deny ip any 192.168.2.0 0.0.0.255
20 deny ip any 192.168.3.0 0.0.0.255
30 deny ip any 192.168.4.0 0.0.0.255
40 deny ip any 192.168.5.0 0.0.0.255
99 permit ip any any
My requirement
10 deny ip any 192.168.0.0 0.0.255.255
100 permit ip any any.
I will keep adding new vlan's in the range of 192.168.x.x, can i add the entire CIDR for VLAN1 and other VLAN's so that in future if i add VLAN6 with subnet 192.168.5.0/24 and VLAN7 with subnet 192.168.6.0/24 same acl Deny_all can be applied to VLAN6 and VLAN7 SVI, else i'll have to edit Deny_all acl and keep adding subnet IP's for new VLAN's created.
Regards,
Amit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide