Inter VLAN ACL

aasimomerosman · ‎03-23-2022

Hi Team

I need block VLANs from 4-9 & 60-69 to communicate each other, But i need them to communicate with (IT, Printer and Servers)

VLAN 4: 192.168.4.0/24

VLAN 6: 192.168.6.0/24

VLAN 9: 192.168.9.0/24

VLAN 60: 192.168.60.0/24

VLAN 65: 192.168.65.0/24

VLAN 69: 192.168.69.0/24

VLAN IT: 192.168.177.0/24

VLAN Printer: 192.168.70.0/24

Servers:

VLAN 20: 10.10.20.0/24

VLAN 109: 192.168.109.240/28

VLAN 136: 172.22.136.0/24

VLAN 98: 172.98.10.224/29

------------------------------------------

I create extended access-list name 100

deny ip 192.168.0.0 0.0.15.255 192.168.0.0 0.0.15.255

deny ip 192.168.0.0 0.0.127.255 192.168.0.0 0.0.127.255

permit ip any any

and applied it for interface vlan 4:

ip access-group 100 in

---------------------

I can't ping vlan 4-9 and 60-69.(good)

but i can't ping printer and Server vlan 109

can any one help me?

Leo Laohoo · ‎03-23-2022

Cisco ACL Checker

balaji.bandi · ‎03-23-2022

deny ip 192.168.0.0 0.0.127.255 192.168.0.0 0.0.127.255

since your ACL is wider deny /17 (which has VLAN printers and 109), maybe you need to go /24 or reduce the lower level up to 192.168.69.X network to deny.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-23-2022

Hello,

the problem is:

192.168.0.0 0.0.127.255

includes the entire host range:

191.168.0.1 - 191.168.127.254

You need the access list below. Subnets 192.168.65.0/24 and 192.168.69.0/24 cannot be included in the summarized range and need to have a separate entry.

access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255
access-list 100 permit ip any any

paul driver · ‎03-23-2022

Hello

Example:
ip access-list extended vlan4
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
deny ip any 192.168.60.0 0.0.0.255
deny ip any 192.168.65.0 0.0.0.255
deny ip any 192.168.69.0 0.0.0.255
permit ip any any

ip access-list extended vlan6
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
deny ip any 192.168.60.0 0.0.0.255
deny ip any 192.168.65.0 0.0.0.255
deny ip any 192.168.69.0 0.0.0.255
permit ip any any

int vlan 4
ip access-group vlan4 IN

int vlan 6
ip access-group vlan6 IN

etc...

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aasimomerosman · ‎03-24-2022

hi @paul driver

thank you brother for quick replying.

is there way to summarized because it will be big configuration for each VLAN in need to stop communication ?

aasimomerosman · ‎03-23-2022

Thank you all for replying.

is there any way to summarize range vlan ip's to make access list simple and short?

paul driver · ‎03-23-2022

Hello
Unfortunately not with the subnets you’ve provided

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎03-23-2022

Hello,

you cannot summarize more than this:

access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255
access-list 100 permit ip any any

You cannot summarize 65 and 69, a /21 mask would go up to 71. So the above is the best you can do.

paul driver · ‎03-23-2022

Hello @Georg Pauwen

@Georg Pauwen wrote:

access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255 < this ace denys every thing between 192.168.0.0 -192.168.63.254

access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255 < this ace denys every thing between 192.168.0.0 -192.168.63.254 and 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255 < this ace denys every thing between 192.168.0.0 -192.168.63.254 and 192.168.69.0 0.0.0.255
access-list 100 permit ip any any

You cannot even summerise that , you will include at leaet 50 + /24 subnets in those aggregates no in use plus based on that acl I would envisiage connectivity will break

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎03-23-2022

@paul driver Better ask OP. The access list is based on the information given. The subnets included mentioned by you do not exist, so 'blocking' them should not be a problem.

paul driver · ‎03-23-2022

Hello

@Georg Pauwen either way your acl wont work as it block all communication which DOES include the OPs active subnets

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎03-23-2022

@paul driver What test network are you applying this on ? Can you post your config and your test results ?

Here are my results. I am pinging from host 192.168.4.2.

Vlan 4 cannot communicate with VLAN 6,VLAN 9,VLAN 60,VLAN 65,VLAN 69

Vlan 4 can communicate with VLAN IT: 192.168.177.0/24,VLAN Printer: 192.168.70.0/24, VLAN 20,VLAN 109,VLAN 136,VLAN 98

access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255
access-list 100 permit ip any any
!
interface GigabitEthernet0/0/0
ip address 192.168.4.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto

C:\>ping 192.168.6.1

Pinging 192.168.6.1 with 32 bytes of data:

Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.

Ping statistics for 192.168.6.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 192.168.9.1

Pinging 192.168.9.1 with 32 bytes of data:

Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.

Ping statistics for 192.168.9.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 192.168.60.1

Pinging 192.168.60.1 with 32 bytes of data:

Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.

Ping statistics for 192.168.60.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 192.168.65.1

Pinging 192.168.65.1 with 32 bytes of data:

Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.

Ping statistics for 192.168.65.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 192.168.69.1

Pinging 192.168.69.1 with 32 bytes of data:

Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.

Ping statistics for 192.168.69.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 172.98.10.1

Pinging 172.98.10.1 with 32 bytes of data:

Reply from 172.98.10.1: bytes=32 time<1ms TTL=255
Reply from 172.98.10.1: bytes=32 time<1ms TTL=255
Reply from 172.98.10.1: bytes=32 time<1ms TTL=255
Reply from 172.98.10.1: bytes=32 time=4ms TTL=255

Ping statistics for 172.98.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 4ms, Average = 1ms

C:\>ping 10.10.20.1

Pinging 10.10.20.1 with 32 bytes of data:

Reply from 10.10.20.1: bytes=32 time=6ms TTL=255
Reply from 10.10.20.1: bytes=32 time<1ms TTL=255
Reply from 10.10.20.1: bytes=32 time<1ms TTL=255
Reply from 10.10.20.1: bytes=32 time<1ms TTL=255

Ping statistics for 10.10.20.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 1ms

C:\>ping 192.168.70.1

Pinging 192.168.70.1 with 32 bytes of data:

Reply from 192.168.70.1: bytes=32 time<1ms TTL=255
Reply from 192.168.70.1: bytes=32 time<1ms TTL=255
Reply from 192.168.70.1: bytes=32 time<1ms TTL=255
Reply from 192.168.70.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.70.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping 192.168.109.1

Pinging 192.168.109.1 with 32 bytes of data:

Reply from 192.168.109.1: bytes=32 time<1ms TTL=255
Reply from 192.168.109.1: bytes=32 time<1ms TTL=255
Reply from 192.168.109.1: bytes=32 time<1ms TTL=255
Reply from 192.168.109.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.109.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping 172.22.136.1

Pinging 172.22.136.1 with 32 bytes of data:

Reply from 172.22.136.1: bytes=32 time<1ms TTL=255
Reply from 172.22.136.1: bytes=32 time<1ms TTL=255
Reply from 172.22.136.1: bytes=32 time<1ms TTL=255
Reply from 172.22.136.1: bytes=32 time<1ms TTL=255

Ping statistics for 172.22.136.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping 192.168.177.1

Pinging 192.168.177.1 with 32 bytes of data:

Reply from 192.168.177.1: bytes=32 time<1ms TTL=255
Reply from 192.168.177.1: bytes=32 time<1ms TTL=255
Reply from 192.168.177.1: bytes=32 time<1ms TTL=255
Reply from 192.168.177.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.177.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

paul driver · ‎03-23-2022

Hello

The op states:

I need block VLANs from 4-9 & 60-69 to communicate each other

@Georg Pauwen
I’m not sure you are understanding what i am trying to state, Your summarisation encompasses a vast range of addressing which isn’t being used or not shown, That kind of summarisation over such a large ip range isn’t feasible especially when we don’t know the environment, The OP is asking a question about using an smaller acls but to provide such an example when we don’t know the exact circumstances isn’t viable, it would be then best to be as specific as possible

If that acl you posted was applied to a production network and the network indeed had subnets within that aggregate then it would fail…..drastically

Maybe im am too cautious in my approach but I tend to think in real senarios and of the overall picture the OP is trying to show.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aasimomerosman · ‎03-24-2022

Hi @Georg Pauwen

my environment includes VLANs 4-9 and 60-69 and other VLANs, so when i tried your configuration it's block VLANs 2,3 10 and above.

my scenario and packet tracer image it's simple and summarized.

thank you again brother