Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15587
Views
5
Helpful
4
Replies

Block traffic between VLANs

robinandjiang
Level 1
Level 1

‎01-24-2019 01:59 PM

i have 5 VLANs, vlan 1, vlan 20, vlan 30, vlan 40, vlan 50.

for some reasons that only vlan 20 is allowed to visit vlan 50, and deny other vlans to reach it.

 

int vlan 1

ip add 192.168.1.1 255.255.255.0

int vlan 20

ip add 192.168.20.1 255.255.255.0

int vlan 30

ip add 192.168.30.1 255.255.255.0

int vlan 40

ip add 192.168.40.1 255.255.255.0

int vlan 50

ip add 192.168.50.1 255.255.255.0

 

ip access-list extended Block_Vlan

permit ip 192.168.20.0 0.0.0.255 any

deny ip any any

 

int vlan 50

ip access-group Block_Vlan out

 

but it doesn't work, any ideas.

thanks

Labels:
0 Helpful
4 Replies 4

robinandjiang
Level 1
Level 1

‎01-24-2019 02:58 PM

The ACL works only for traffic going through the switch,  actually it works.

i am not able to reach the host which is sitting in the vlan 50 from other vlans except form vlan 20.

but i still can ping the gateway 192.168.50.1

0 Helpful

Tony77
Level 1
Level 1

‎01-24-2019 03:42 PM - edited ‎01-24-2019 03:43 PM

@robinandjiang wrote:

 

ip access-list extended Block_Vlan

permit ip 192.168.20.0 0.0.0.255 any

deny ip any any

 

In this ACL, the router will first check traffic against the first permit statement "permit ip 192.168.20.0 0.0.0.255 any". (If the source IP is within the ip range 192.168.20.0-192.168.20.255, then allow the traffic and ignore all statements afterwards. If it is not in the 192.168.20.0-192.168.20.255 range, then go to the next statement.)

The next statement is "deny ip any any". (Block all traffic that makes it to this point.)

 

There are a few things you can do to tweak this, depending on your needs. If you want to permit more vlans, you can add them like in this example:

 

ip access-list extended Block_Vlan

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.30.0 0.0.0.255 any

permit ip 192.168.40.0 0.0.0.255 any

deny ip any any

 

 

Or if you want to block specific vlans and permit the rest, you can do it this way:

 

ip access-list extended Block_Vlan

deny ip 192.168.20.0 0.0.0.255 any

permit ip any any

 

This would block vlan 20 and allow any other traffic.

0 Helpful

senaka_bs
Level 1
Level 1

‎01-24-2019 08:13 PM

I'm guessing that your are using icmp (ping) to test the connectivity between the VLANs.

 

Your ACL is blocking the traffic going in to VLAN 50 from other VLANs (except VLAN20)

 

Example - Packet from VLAN 30 (192.168.30.5) to VLAN 50 (192.168.50.5)

At the time the ACL is applied:

Source is 192.168.30.5 Destination is 192.168.50.5 = Result - DROP

 

blwilkins1
Level 1
Level 1

‎01-30-2019 07:41 AM

You actually have an Outbound ACL configured, so it is not that the other VLANs can not talk to VLAN 50, its VLAN 50 can only talk to VLAN 20. What are you trying to accomplish?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents