Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2276
Views
0
Helpful
5
Replies

Access List deny ip in same vlan

Nuno Castro
Level 1
Level 1

‎01-31-2017 09:14 AM - edited ‎03-05-2019 07:57 AM

Hello all;

Here is my configuration:

Building configuration...

Current configuration : 2421 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NAME
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool lan
   import all
   network 10.0.0.0 255.255.255.0
   dns-server 8.8.8.8
   default-router 10.0.0.254
   lease infinite
!
!
ip cef
ip name-server 192.168.1.254
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Virtual-Template1
 ip unnumbered Vlan1
 peer default ip address pool VPN
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
!
interface Vlan1
 description *** INTERFACE OUTSIDE ***
 ip address 192.168.1.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
interface Vlan2
 description *** Client Network ***
 ip address 10.0.0.254 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
ip local pool VPN 192.168.1.50 192.168.1.60
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
no ip http secure-server
!
ip nat inside source list NET interface Vlan1 overload
!
ip access-list extended NET
 permit ip 10.0.0.0 0.0.0.255 any
!
access-list 101 deny   ip any 192.168.1.0 0.0.0.255
access-list 101 deny   tcp any 192.168.1.0 0.0.0.255
access-list 101 deny   udp any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password 7 XXXXXXXXXXXXXXXXXX
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
end

Now i want to deny ip traffic between any host in vlan 2, except the range 10.0.0.0.1 to 10.0.0.10. Can you help me?

Best regards

Labels:
0 Helpful
5 Replies 5

Julio E. Moisa
VIP
VIP

‎01-31-2017 09:19 AM

Hi

I think you could use private vlans to complete that. 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

rafael.alves
Level 1
Level 1
In response to Julio E. Moisa

‎01-31-2017 09:32 AM

Does this work for any Switch or Just L3 ones? I tried it in some 2960 I got here and no-one has this functionality.

0 Helpful

Julio E. Moisa
VIP
VIP
In response to rafael.alves

‎01-31-2017 10:33 AM

Hi 

I recommend to verify the Cisco compatible tool (http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp) with your IOS also please see the following link:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/10601-90.html

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Nuno Castro
Level 1
Level 1
In response to Julio E. Moisa

‎02-07-2017 03:48 AM

Hello;

Thanks a lot for your answer.  My router is an old one Cisco 877, with c870-advsecurityk9-mz.124-24.T8. I can't have private vlans in this IOS Version, can i deny traffic with access lists?

Best regards;

0 Helpful

Georg Pauwen
VIP
VIP
In response to Nuno Castro

‎02-07-2017 04:37 AM

Hello,

I am not sure if your 877 supports Vlan Access Lists. Try the config below (in this example, host 10.0.0.11 cannot talk to anyone, the rest can. If this works, we can add all the other hosts as well, with some address summarization):

877(config)#access-list 101 permit ip host 10.0.0.11 any

877(config)#vlan access-map DENY_RANGE 10
877(config-access-map)#match ip address 101
877(config-access-map)#action drop
877(config-access-map)#vlan access-map DENY_RANGE 20
877(config-access-map)#action forward

877(config)#vlan filter DENY_RANGE vlan-list 2

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card