Solved: Re: Deny access to other VLAN and only access for Server VLAN

bryg0d · ‎12-15-2023

Hi everyone, I am trying to deny VLANs to each other and only be reaching server VLAN. My commands below is successful on packet tracer but failed during implementation.

ip access-list ext DenyVlans_50
permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.3.255 [ 172.16.36.0 /22 is my Server Vlan]
deny ip 172.16.50.0 0.0.0.255 172.16.0.0 0.0.255.255 [172.16.0.0 0.0.255.255 is the supernet of all 30 VLANs]
permit ip any any [ for internet ]

int vlan 50
ip access-group DenyVlans_50 in

From my understanding, VLAN50 will allow access to Server Vlan then deny any other VLANs inside the supernet 172.16.0.0 /16.

MHM Cisco World · ‎12-18-2023

Now ONE ACL for all VLAN include VLAN of Server
*** the direction of this VLAN must be IN
1- from Server-> to all VLAN subnet

permit ip 172.16.36.0 0.0.3.255 172.16.0.0 0.0.255.255

2- from all VLAN subnet to Server

permit ip 172.16.0.0 0.0.255.255 172.16.36.0 0.0.3.255

2-Op for DHCP you need

permit udp any eq bootpc any eq bootps

3- from all VLAN subnet to all VLAN subnet

deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

4- from all VLAN subnet to ANY

permit ip 172.16.0.0 0.0.255.255 any

hope this what you looking for
MHM

View solution in original post

MHM Cisco World · ‎12-15-2023

Can i see show access list

MHM

paul driver · ‎12-15-2023

Hello

Ip access-list extended Vlan1
deny ip any 10.1.2.0 0.0.0.255  (vlan 2)
deny ip any 10.1.3.0 0.0.0.255  (vlan 3)
etc...
permit ip any any

int vlan 1
ip access-group Vlan1 IN

Ip access-list extended Vlan2
deny ip any 10.1.1.0 0.0.0.255  (vlan 1)
deny ip any 10.1.3.0 0.0.0.255  (vlan 3)
etc...
permit ip any any

int vlan 2
ip access-group Vlan2 IN

etc..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bryg0d · ‎12-17-2023

Hi Paul,

This is too many since I have almost 30 VLANS. Is there any way to lessen the lines of command?

paul driver · ‎12-18-2023

Hello
you would have to apply an acl to each L3 anyway to negate the communication between them - as for the mutiple acl entries you may be able to summerise the ip range but again you need to be careful not to deny/permit unwarranted traffic or Only permit traffic you wish to allow and have a default deny action.
Alternatively put each L3 svi in its own VRF apart from the server vlan

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

DaviRocK! · ‎12-15-2023

Double-check the subnet masks in your ACL. For example, if your server VLAN is really just a /28 subnet, the mask in the ACL should reflect that. The entry permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.3.255 covers more than just your /28 server VLAN.

A more accurate rule might be: permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.0.1

logging to your ACL to troubleshoot which packets are being permitted or denied. This can provide valuable insight into what's happening:

ip access-list extended DenyVlans_50
permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.0.15 log
deny ip 172.16.50.0 0.0.0.255 172.16.0.0 0.0.255.255 log
permit ip any any log

bryg0d · ‎12-17-2023

Hi DaviRock,

Apologies for confusion. My Server VLAN is actually /22.

MHM Cisco World · ‎12-18-2023

friend your ACL is correct

but let me see show access list
let check which is hit and which is not hit

MHM

paul driver · ‎12-18-2023

Hello
@MHM Cisco World @DaviRocK! not sure how the acl can the be correct just applied to the server vlan when the OP suggested only the server vlan needs to accessible to all vlans - Have i missed something if so apologies to all!

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎12-18-2023

Not at all' you are correct.

He need change source in acl for each vlan' so that source is match vlan subnet.

But I was talking about only acl apply to vlan 50' if he use correct source then acl is ok and must work.

@bryg0d Mr @paul driver solution is correct' but if you see it long and you need only one acl apply to all vlan svi then

Write vlan subnet

And use one supernet as source.

For example if you have vlan10 192.168.10.0/24 and vlan 20 192.168.20.0/24 you can use supernet

192.168.0.0/16 that includes all vlan subnet in Only ONE ACL

Thanks

MHM

paul driver · ‎12-18-2023

Hello
@MHM Cisco World I would say it isn’t correct tbh - you do not require any acl in vlan 50 that’s the only vlan which doesn’t require any filtering - to negate the other vlans from communicating with each other then you would need to append an acl on each svi - either with a deny to each individual subnet or summarise the ip range and a permit for everything else or apply a permit for vlan 50 and all other traffic other than the other local vlans (again individually or summarise) or put each SVI in its own VRF.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bryg0d · ‎12-18-2023

Hi MHM,

I believe that's correct. I need to implement the ACL on all Vlan except Server Vlan but using it's own subnet on the ACL. Did I get that right?

bryg0d · ‎12-18-2023

Hi MHM,

ACL below is already applied on the SVI. Tried to ping test inside the core switch using IP of different SVI's but it's reachable. Will try to test later on the endpoints/pc.

MHM Cisco World · ‎12-18-2023

Now ONE ACL for all VLAN include VLAN of Server
*** the direction of this VLAN must be IN
1- from Server-> to all VLAN subnet

permit ip 172.16.36.0 0.0.3.255 172.16.0.0 0.0.255.255

2- from all VLAN subnet to Server

permit ip 172.16.0.0 0.0.255.255 172.16.36.0 0.0.3.255

2-Op for DHCP you need

permit udp any eq bootpc any eq bootps

3- from all VLAN subnet to all VLAN subnet

deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

4- from all VLAN subnet to ANY

permit ip 172.16.0.0 0.0.255.255 any

hope this what you looking for
MHM

bryg0d · ‎12-18-2023

Hi MHM,

Thank you. Will try to simulate the commands later.