Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2368
Views
4
Helpful
16
Replies

Deny access to other VLAN and only access for Server VLAN

Go to solution
bryg0d
Level 1
Level 1

‎12-15-2023 12:23 AM - last edited on ‎12-25-2023 10:38 PM by Community Manager

Hi everyone, I am trying to deny VLANs to each other and only be reaching server VLAN. My commands below is successful on packet tracer but failed during implementation.

ip access-list ext DenyVlans_50
permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.3.255 [ 172.16.36.0 /22 is my Server Vlan]
deny ip 172.16.50.0 0.0.0.255 172.16.0.0 0.0.255.255 [172.16.0.0 0.0.255.255 is the supernet of all 30 VLANs]
permit ip any any [ for internet ]

int vlan 50
ip access-group DenyVlans_50 in

From my understanding, VLAN50 will allow access to Server Vlan then deny any other VLANs inside the supernet 172.16.0.0 /16.

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎12-18-2023 09:46 PM - last edited on ‎12-25-2023 10:59 PM by Community Manager

Now ONE ACL for all VLAN include VLAN of Server 
*** the direction of this VLAN must be IN
1- from Server-> to all VLAN subnet 

permit ip 172.16.36.0 0.0.3.255 172.16.0.0 0.0.255.255


2- from all VLAN subnet to Server 

permit ip 172.16.0.0 0.0.255.255 172.16.36.0 0.0.3.255


2-Op for DHCP you need 

permit udp any eq bootpc any eq bootps


3- from all VLAN subnet to all VLAN subnet

deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255


4- from all VLAN subnet to ANY 

permit ip 172.16.0.0 0.0.255.255 any

 

hope this what you looking for 
MHM

View solution in original post

16 Replies 16

Go to solution
MHM Cisco World
VIP
VIP

‎12-15-2023 12:32 AM

Can i see show access list 

MHM

0 Helpful

Go to solution
paul driver
VIP
VIP

‎12-15-2023 01:03 AM - last edited on ‎12-25-2023 10:41 PM by Community Manager

Hello

Ip access-list extended Vlan1
deny ip any 10.1.2.0 0.0.0.255  (vlan 2)
deny ip any 10.1.3.0 0.0.0.255  (vlan 3)
etc...
permit ip any any

int vlan 1
ip access-group Vlan1 IN

Ip access-list extended Vlan2
deny ip any 10.1.1.0 0.0.0.255  (vlan 1)
deny ip any 10.1.3.0 0.0.0.255  (vlan 3)
etc...
permit ip any any

int vlan 2
ip access-group Vlan2 IN

etc..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
bryg0d
Level 1
Level 1
In response to paul driver

‎12-17-2023 05:50 PM

Hi Paul,

This is too many since I have almost 30 VLANS. Is there any way to lessen the lines of command?

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to bryg0d

‎12-18-2023 05:11 AM - edited ‎12-18-2023 05:14 AM

Hello
you would have to apply an acl to each L3  anyway to negate the communication between them - as for the mutiple acl entries you may be able to summerise the ip range but again you need to be careful not to deny/permit unwarranted traffic or Only permit traffic you wish to allow and have a default deny action.
Alternatively put each L3 svi in its own VRF apart from the server vlan 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
DaviRocK!
Level 1
Level 1

‎12-15-2023 02:52 AM - last edited on ‎12-25-2023 10:52 PM by Community Manager

Double-check the subnet masks in your ACL. For example, if your server VLAN is really just a /28 subnet, the mask in the ACL should reflect that. The entry permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.3.255 covers more than just your /28 server VLAN.

A more accurate rule might be: permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.0.1

logging to your ACL to troubleshoot which packets are being permitted or denied. This can provide valuable insight into what's happening:

ip access-list extended DenyVlans_50
permit ip 172.16.50.0 0.0.0.255 172.16.36.0 0.0.0.15 log
deny ip 172.16.50.0 0.0.0.255 172.16.0.0 0.0.255.255 log
permit ip any any log

 

 

 

0 Helpful

Go to solution
bryg0d
Level 1
Level 1
In response to DaviRocK!

‎12-17-2023 05:52 PM - edited ‎12-17-2023 05:53 PM

Hi DaviRock,

Apologies for confusion. My Server VLAN is actually /22. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to bryg0d

‎12-18-2023 05:29 AM

friend your ACL is correct 

but let me see show access list 
let check which is hit and which is not hit

MHM

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to MHM Cisco World

‎12-18-2023 08:19 AM

Hello
@MHM Cisco World  @DaviRocK!  not sure how the acl can the be correct just applied to the server vlan when the OP suggested only the server vlan needs to accessible to all vlans - Have i missed something if so apologies to all!


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
MHM Cisco World
VIP
VIP
In response to paul driver

‎12-18-2023 08:28 AM

Not at all' you are correct.

He need change source in acl for each vlan' so that source is match vlan subnet.

But I was talking about only acl apply to vlan 50' if he use correct source then acl is ok and must work.

@bryg0d Mr @paul driver  solution is correct' but if you see it long and you need only one acl apply to all vlan svi then 

Write vlan subnet 

And use one supernet as source.

For example if you have vlan10 192.168.10.0/24 and vlan 20 192.168.20.0/24 you can use supernet 

192.168.0.0/16 that includes all vlan subnet in Only ONE ACL

Thanks

MHM

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to MHM Cisco World

‎12-18-2023 03:31 PM - edited ‎12-18-2023 11:57 PM

Hello
@MHM Cisco World  I would say it isn’t correct tbh - you do not require any acl in vlan 50 that’s the only vlan which doesn’t require any filtering - to negate the other vlans from communicating with each other then you would need to append an acl on each svi - either with a deny to each individual subnet or summarise the ip range and a permit for everything else or apply a permit for vlan 50 and all other traffic other than the other local vlans (again individually or summarise) or put each SVI in its own VRF.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
bryg0d
Level 1
Level 1
In response to MHM Cisco World

‎12-18-2023 04:01 PM

Hi MHM,

I believe that's correct. I need to implement the ACL on all Vlan except Server Vlan but using it's own subnet on the ACL. Did I get that right?

0 Helpful

Go to solution
bryg0d
Level 1
Level 1
In response to MHM Cisco World

‎12-18-2023 03:57 PM

Hi MHM,

ACL below is already applied on the SVI. Tried to ping test inside the core switch using IP of different SVI's but it's reachable. Will try to test later on the endpoints/pc.

Screenshot 2023-12-19 at 7.53.41 AM.png

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-18-2023 09:46 PM - last edited on ‎12-25-2023 10:59 PM by Community Manager

Now ONE ACL for all VLAN include VLAN of Server 
*** the direction of this VLAN must be IN
1- from Server-> to all VLAN subnet 

permit ip 172.16.36.0 0.0.3.255 172.16.0.0 0.0.255.255


2- from all VLAN subnet to Server 

permit ip 172.16.0.0 0.0.255.255 172.16.36.0 0.0.3.255


2-Op for DHCP you need 

permit udp any eq bootpc any eq bootps


3- from all VLAN subnet to all VLAN subnet

deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255


4- from all VLAN subnet to ANY 

permit ip 172.16.0.0 0.0.255.255 any

 

hope this what you looking for 
MHM

Go to solution
bryg0d
Level 1
Level 1
In response to MHM Cisco World

‎12-18-2023 10:52 PM

Hi MHM,

Thank you. Will try to simulate the commands later. 

Top