Solved: ACL OF Multiple VLANs

ckeyy · ‎10-23-2024

Has anyone experienced the ACL of multiple VLANs? Tried it but no one rule hits except for permit ip any any, but gateway to gateway can ping but when it comes to host or part of that network cannot ping. What are other approach for this ACL of VLANs, assuming I have 10 VLANs that has restriction with other VLANs and so on.

Update: remove all the ACL, but specific VLANs cannot ping the host or user in other VLAN

ckeyy · ‎11-04-2024

I found out the solution guys. I use extended ACL. Thanks for your inputs.

View solution in original post

Flavio Miranda · ‎10-23-2024

@ckeyy

You probably are choosing the wrong mask. Can share the config? Which device is it?

ckeyy · ‎10-23-2024

mask is fine since i'm following the guide that I can use or help me but still no one works. Im using C9500 core switch

Flavio Miranda · ‎10-23-2024

If you share the config it will be much easier to help. There is not secret on filtering VLAns using ACL

You need to create the ACL, matching the traffic you want and then you apply it on the interface vlan.

Examples

access-list 101 deny ip 10.101.10.0 0.0.0.255 10.101.4.0 0.0.0.255

access-list 101 deny ip 10.101.10.0 0.0.0.255 10.101.99.0 0.0.0.255

access-list 101 permit ip 10.101.10.0 0.0.0.255 any

access-list 102 deny ip 10.101.99.0 0.0.0.255 10.101.4.0 0.0.0.255

access-list 102 deny ip 10.101.99.0 0.0.0.255 10.101.10.101.10.0 0.0.0.255

access-list 102 permit ip 10.101.99.0 any

then apply these acls to the relevant subinterfaces ie. -

int vlan x

ip access-group 101 in

int ivlan y

ip access-group 102 in

ckeyy · ‎10-23-2024

my config is just same as your input but when I test it no rule is hit, except for permit ip any. I removed all the ACL, other vlan cannot still ping the users or host in other vlan

Richard Burts · ‎10-23-2024

Without seeing the details of what is in your config (and perhaps without knowing more about your environment) we can not identify why your ACL is not working.

HTH

Rick

Flavio Miranda · ‎10-23-2024

Share the show running-config here please.

ckeyy · ‎10-23-2024

here's my config

PS. 192.168.24.1 is their route from the the firewall to reach the internet since the default route is 0.0.0.0 0.0.0.0 192.168.24.1

access-list 1 deny 192.168.30.0 0.0.0.255
access-list 1 deny 192.168.32.0 0.0.0.255
access-list 1 permit any
int vlan 10
ip access-group 1 out

access-list 2 permit 192.168.24.1 0.0.0.0
access-list 2 deny 192.168.21.0 0.0.0.255
access-list 2 deny 192.168.22.0 0.0.0.255
access-list 2 deny 192.168.24.0 0.0.1.255
access-list 2 deny 192.168.26.0 0.0.0.255
access-list 2 deny 192.168.30.0 0.0.0.255
access-list 2 deny 192.168.32.0 0.0.0.255
access-list 2 permit any
int vlan 20
ip access-group 2 out

access-list 3 deny 192.168.20.0 0.0.0.255
access-list 3 deny 192.168.22.0 0.0.0.255
access-list 3 permit 192.168.24.1 0.0.0.0
access-list 3 deny 192.168.24.0 0.0.1.255
access-list 3 deny 192.168.26.0 0.0.0.255
access-list 3 deny 192.168.30.0 0.0.0.255
access-list 3 deny 192.168.32.0 0.0.0.255
access-list 3 permit any
int vlan 21
ip access-group 3 out

access-list 4 permit 192.168.24.1 0.0.0.0
access-list 4 deny 192.168.20.0 0.0.0.255
access-list 4 deny 192.168.21.0 0.0.0.255
access-list 4 deny 192.168.24.0 0.0.1.255
access-list 4 deny 192.168.26.0 0.0.0.255
access-list 4 deny 192.168.30.0 0.0.0.255
access-list 4 deny 192.168.32.0 0.0.0.2555
access-list 4 permit any
int vlan 22
ip access-group 4 out

access-list 5 deny 192.168.20.0 0.0.0.255
access-list 5 deny 192.168.21.0 0.0.0.255
access-list 5 deny 192.168.22.0 0.0.0.255
access-list 5 deny 192.168.26.0 0.0.0.255
access-list 5 deny 192.168.30.0 0.0.0.255
access-list 5 deny 192.168.32.0 0.0.0.255
access-list 5 permit any
int vlan 24
ip access-group 5 in

(tried to use "out" here but internet conection for other vlans can not reach it)

access-list 6 permit 192.168.24.1 0.0.0.0
access-list 6 deny 192.168.20.0 0.0.0.255
access-list 6 deny 192.168.21.0 0.0.0.255
access-list 6 deny 192.168.22.0 0.0.0.255
access-list 6 deny 192.168.24.0 0.0.1.255
access-list 6 deny 192.168.30.0 0.0.0.255
access-list 6 deny 192.168.32.0 0.0.0.255
access-list 6 permit any
int vlan 26
ip access-group 6 out

access-list 7 permit any
int vlan 27
ip access-group 7 out

access-list 8 permit 192.168.24.1 0.0.0.0
access-list 8 deny 192.168.10.0 0.0.0.255
access-list 8 deny 192.168.20.0 0.0.0.255
access-list 8 deny 192.168.21.0 0.0.0.255
access-list 8 deny 192.168.22.0 0.0.0.255
access-list 8 deny 192.168.24.0 0.0.1.255
access-list 8 deny 192.168.26.0 0.0.0.255
access-list 8 deny 192.168.32.0 0.0.0.255
access-list 8 permit any
int vlan 30
ip access-group 8 out

access-list 9 permit 192.168.24.1 0.0.0.0
access-list 9 deny 192.168.10.0 0.0.0.255
access-list 9 deny 192.168.20.0 0.0.0.255
access-list 9 deny 192.168.21.0 0.0.0.255
access-list 9 deny 192.168.22.0 0.0.0.255
access-list 9 deny 192.168.24.0 0.0.1.255
access-list 9 deny 192.168.26.0 0.0.0.255
access-list 9 deny 192.168.30.0 0.0.0.255
access-list 9 permit any
int vlan 320
ip access-group 9 out

Richard Burts · ‎10-24-2024

Thanks for posting the partial config. It would be helpful if you included at least the IP address for each of the vlans. Are there any other parameters configured on the vlan interfaces? Can you explain what you want these ACLs to achieve? Am I correct in assuming that you want to prevent inter vlan communication while allowing communication to outside?

In reading through the discussion I am wondering about this statement " I removed all the ACL, other vlan cannot still ping the users or host in other vlan". This suggests that there is some issue other than the ACLs. Can you confirm that ip routing is enabled? Perhaps the output of show ip route might shed some light on the situation.

HTH

Rick

Flavio Miranda · ‎10-24-2024

In order to help you with IN and OUT it would be required the interface configuration and how this device is connected to the router or firewall.

A simple diagram would be very helpful

ckeyy · ‎11-04-2024

I found out the solution guys. I use extended ACL. Thanks for your inputs.