cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
267
Views
0
Helpful
2
Replies
bvn63
Beginner

ACL for SVI

Hello

 

I have Cisco R2811 and multiple Switch 2960, I want to VLAN 90 cannot access to other vlans and other vlans can connect to it (ex : 445,139,...)  but it doesn't work, I have configured SVI for Cisco R2811 as follows:

 

Cisco 2811:

 

Interfaces:

 

 

interface FastEthernet0/1
 description LAN
 no ip address
 ip flow ingress
 duplex full
 speed auto
 no cdp enable
!
interface FastEthernet0/1.10
 encapsulation dot1Q 1 native
 ip address 192.168.10.1 255.255.254.0
 ip helper-address 192.168.10.100
 glbp 1 ip 192.168.10.254
 glbp 1 timers msec 250 msec 750
 glbp 1 timers redirect 2 40000
 glbp 1 priority 200
 glbp 1 preempt
 glbp 1 weighting 100 lower 90 upper 95
 glbp 1 authentication md5 key-string 7 01120407
 glbp 1 weighting track 1 decrement 20
!
interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.10.100
 glbp 2 ip 192.168.20.254
 glbp 2 timers msec 250 msec 750
 glbp 2 timers redirect 2 40000
 glbp 2 priority 200
 glbp 2 preempt
 glbp 2 weighting 100 lower 90 upper 95
 glbp 2 authentication md5 key-string 7 13041511
 glbp 2 weighting track 1 decrement 20
!
interface FastEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip helper-address 192.168.10.100
 glbp 3 ip 192.168.30.254
 glbp 3 timers msec 250 msec 750
 glbp 3 timers redirect 2 40000
 glbp 3 priority 200
 glbp 3 preempt
 glbp 3 weighting 100 lower 90 upper 95
 glbp 3 authentication md5 key-string 7 13041511
 glbp 3 weighting track 1 decrement 20
!
interface FastEthernet0/1.50
 description VOICE VLAN
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 192.168.10.100
 glbp 5 ip 192.168.50.254
 glbp 5 timers msec 250 msec 750
 glbp 5 timers redirect 2 40000
 glbp 5 priority 200
 glbp 5 preempt
 glbp 5 weighting 100 lower 90 upper 95
 glbp 5 authentication md5 key-string 7 12180714
 glbp 5 weighting track 1 decrement 20
!
interface FastEthernet0/1.90
 description WIRELESS-VLAN
 encapsulation dot1Q 90
 ip address 192.168.90.1 255.255.254.0
 ip access-group TEST in
 ip helper-address 192.168.10.100
 glbp 9 ip 192.168.90.254
 glbp 9 timers msec 250 msec 750
 glbp 9 timers redirect 2 40000
 glbp 9 priority 200
 glbp 9 preempt
 glbp 9 weighting 100 lower 90 upper 95
 glbp 9 authentication md5 key-string 7 00051105
 glbp 9 weighting track 1 decrement 20

 

 

Access-List

 

 

ip access-list extended TEST
 permit ip any host 192.168.10.254
 permit ip any host 192.168.10.100
 permit ip any host 192.168.10.30
 deny   ip any 192.168.10.0 0.0.1.255
 deny   ip any 192.168.20.0 0.0.1.255
 deny   ip any 192.168.30.0 0.0.1.255
 permit ip any any

VLAN 90 blocked and other vlans cannot access to vlan 90

 

 

 

ip access-list extended TEST
 permit ip any host 192.168.10.254
 permit ip any host 192.168.10.100
 permit ip any host 192.168.10.30
 permit icmp any 192.168.10.0 0.0.1.255 echo-reply
permit icmp any 192.168.20.0 0.0.1.255 echo-reply
permit icmp any 192.168.30.0 0.0.1.255 echo-reply deny tcp any 192.168.10.0 0.0.1.255 deny tcp any 192.168.20.0 0.0.1.255 deny tcp any 192.168.30.0 0.0.1.255 permit ip any any

VLAN 90 blocked and other vlans cannot access to vlan 90 but other vlans can ping to VLAN 90.

 

Can someone help me configure as desired?

 

Thank you.

 

Sang.

 

 

 

 

 

 

2 REPLIES 2
Daniele Giordano
Rising star

Hi, try this:

 

ip access-group TEST out

 

ip access-list extended TEST
deny ip 192.168.10.0 0.0.1.255 192.168.90.0 0.0.1.255
deny ip 192.168.20.0 0.0.1.255 192.168.90.0 0.0.1.255
deny ip 192.168.30.0 0.0.1.255 192.168.90.0 0.0.1.255
permit ip any any

Hi  Daniele,

 

After checking your code and it doesn't work then I configured it as follows and it worked.

 

ip access-group TEST in

 

10 permit tcp any 192.168.30.0 0.0.0.255 established log 
11 deny tcp any 192.168.30.0 0.0.0.255 log
20 permit ip any any

 

Thanks for your suggestions.

 

Sang.