09-04-2013 12:14 AM - edited 03-04-2019 08:56 PM
Hi All
I have to configure some new VLAN in our office
VLAN-1 --Server 192.168.0.0/24
VLAN-2 --Systems 192.168.1.0/24
VLAN-3 Project-1 192.168.2.0/24
VLAN-4 project-2 192.168.3.0.24
I want Project-1 and Project-2 have access to server VLAN only.
Accees list extented Project 1
deny IP 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255------------- Deny System VLAN
deny IP 192.168.2.0 0.0.0.255 192.168.3.0 0.0.255---------------Deny project 2 VLAN
permit IP any any
But problem is that system VLAN should access to all VLAN,but no VLAN should access system VLAN.With this access list the access of system VLAn to other Vlan is blocked.Can any body suggest me something.We are using 4500 as L3 switch and 2960 as L2.............
09-04-2013 01:07 AM
Hi Soumik,
If I've read your requiremnt correclty, you'll want the following config on your 4500. Obviously change the SVI numbers as required:
interface vlan 1
desc server vlan
!
interface vlan 2
desc systems vlan
ip access-group 102 in
!
interface vlan 3
desc project1 vlan
ip access-group 103 in
!
interface vlan 4
desc project2 vlan
ip access-group 104 in
!
access-list ext 102 deny 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny server
access-list ext 102 deny 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project1
access-list ext 102 deny 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project2
!
access-list ext 103 deny 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny server
access-list ext 103 deny 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny project2
!
access-list ext 104 deny 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny server
access-list ext 104 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny project1
!
cheers,
Seb.
09-04-2013 01:43 AM
Hi Seb
I think I am unable to describe my requirement properly.
VLAN-1 --Server 192.168.0.0/24
VLAN-2 --Systems 192.168.1.0/24
VLAN-3 Project-1 192.168.2.0/24
VLAN-4 project-2 192.168.3.0.24
VLAN -1 All access
VLAN- 2 All access
VLAN-3 Only Server VLan.No other VLAN
VLAN-4 Only Server VLan.No other VLAN
interface vlan 2
desc systems vlan
ip access-group 102 in
access-list ext 102 deny 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project1
access-list ext 102 deny 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project2
This will deny project 1 and project 2 to access system Vlan and vice versa .But system Vlan needs access to Project1 and Project 2 Vlan.This is my requirements.
09-04-2013 02:00 AM
All ACL´s have a standard entry at the end (deny any any) you cannot see it, you must write minimum one permit entry.
Like: access-list ext 102 permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
or like: permit any any
09-04-2013 02:28 AM
Hi Soumik,
As Markus mentioned, I forgot you need to add:
permit ip any any
...at the end of each of the ACL, to overirde the implied 'deny any any'.
As the access-group statement is inbound, then the suggested ACLs should work. ACL 102, will deny VLANs 1 and 2 in. Likewise, ACLs 103 and 104 do not deny the systems VLAN, so the suggested 'permit any any' will let that traffic in.
So use the following:
access-list ext 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny server
access-list ext 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project1
access-list ext 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 remark deny project2#
access-list ext 102 permit ip any any
!
access-list ext 103 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny server
access-list ext 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 remark deny project2
access-list ext 103 permit ip any any
!
access-list ext 104 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny server
access-list ext 104 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 remark deny project1
access-list ext 104 permit ip any any
!
cheers,
Seb.
09-05-2013 12:06 AM
How to configure one way traffic.
Vlan 2 can access Vlan 3 and Vlan 4
But Vlan 3 and Vlan 4 cann't access Vlan 2
09-05-2013 12:19 AM
Hi,
ACLs are stateless and communication is bidirectional in IP so you'll need to permit return traffic from VLAN3 and VLAN4 for VLAN2 to access them and deny traffic originated in VLAN 3 and VLAN 4.
For return TCP traffic you have the established keyword, for ICMP you'll need to permit the echo-replies and time-exceeded and port-unreachable at least and for UDP you'll have to permit the possible UDP services reply( like DNS 53,DHCP 67).
Regards
Alain
Don't forget to rate helpful posts.
09-05-2013 12:24 AM
Hi cadet
Yes , this is the right approch to configure this.Can you help me with some configuration example or link.....
09-05-2013 12:51 AM
Hi,
some example:
vlan2:192.168.2.0/24
vlan3: 192.168.3.0/24
vlan4:192.168.4.0/24
vlan2 can access vlan 3 and vlan 4 but none of these can access vlan 2.vlan 3 can access vlan 4 and vlan 4 can access vlan 3.
ip access-list extended vlan2-34
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended vlan3-42
permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
permit icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-reply
permit icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 time-exceeded
permit icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 port-unreachable
permit tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
permit udp 192.168.3.0 0.0.0.255 eq 53 192.168.2.0 0.0.0.255
permit udp 192.168.3.0 0.0.0.255 eq 67 192.168.2.0 0.0.0.255
ip access-list extended vlan4-32
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-reply
permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 time-exceeded
permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 port-unreachable
permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
permit udp 192.168.4.0 0.0.0.255 eq 53 192.168.2.0 0.0.0.255
permit udp 192.168.4.0 0.0.0.255 eq 67 192.168.2.0 0.0.0.255
int vlan 2
ip access-group vlan2-34 in
int vlan 3
ip access-group vlan3-42 in
int vlan 4
ip access-group vlan4-32 in
Regards
Alain
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: