cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1584
Views
5
Helpful
4
Replies
Highlighted
Beginner

Intervlan Routing with access-list

i have a case here, i have two vlans, one is vlan 10, 192.168.10.0/24. another is vlan 100, 192.168.100.0/24.

i design to block vlan 10 to talk to vlan 100 but allow vlan 100 to reach vlan 10.

how can i achieve this?

i tried access list, but didn't work.

 

ip access-list extended Block_Vlan10

deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip any any

 

int vlan 10

ip access-group Block_Vlan10 in

 

the problem with this access list is the return traffic was also blocked when vlan 100 initiated the  connection.

any idea?

 

thanks.

 

4 REPLIES 4
VIP Advisor

Re: Intervlan Routing with access-list

Look at below thread to solve your problem.

 

https://community.cisco.com/t5/switching/access-list-on-inter-vlan-routing/td-p/2083316

 

BB
*** Rate All Helpful Responses ***
Contributor

Re: Intervlan Routing with access-list

Check to see if your equipment supports reflexive access lists. Here is an example. Please let us know if this does not resolve the issue.

 

https://community.cisco.com/t5/security-documents/reflexive-access-list-on-ios/ta-p/3130741

 

please mark helpful posts.

Beginner

Re: Intervlan Routing with access-list

Hi there,

What kind of traffic is being initiated from vlan 100 to vlan 10?  What protocols? (IP, ICMP, UDP, TCP?)  And any specific traffic types involved? (HTTP, TFTP, FTP, DHCP, SSH, Telnet, etc?)

 

Are you wanting end result to completely allow all traffic from vlan 100 to vlan 10, but deny all IP traffic (except return traffic from an initiated vlan 100 connection) from vlan 10 to vlan 100?

 

Thanks!

 

VIP Expert

Re: Intervlan Routing with access-list

"i design to block vlan 10 to talk to vlan 100 but allow vlan 100 to reach vlan 10.

how can i achieve this?"

Your ACL should accomplish that, however, when you wrote:

"the problem with this access list is the return traffic was also blocked when vlan 100 initiated the connection."

You've expanded your original requirement, as you want to also allow for VLAN 100's return traffic. You're looking for a FW type solution, i.e. something that maintains state. On a router, if you have an IOS with FW features, you can do it using that. Or next best might be using a reflex ACL, as suggested by Alex, but it needs "mirror" return traffic. Another solution, at least for TCP based traffic, is checking for the established bit being set (this is mentioned in one of the other poster's referenced link too. Lastly, dynamic NAT might be used.
CreatePlease to create content
Content for Community-Ad