Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10384
Views
0
Helpful
8
Replies

Prevent one vlan to acess other vlans

Go to solution
ittechk4u1
Level 4
Level 4

‎02-03-2017 01:02 AM - edited ‎03-05-2019 07:58 AM

Hello experts,

I have following VLANs:

int vlan1

des *** Guest

ip add 192.168.1.0/24

!

int vlan2

des***Data1

Ip add 192.168.2.0/24

!

int vlan 3

des ***Data2

Ip add 192.168.3.0/24

!

int vlan 4

des ***Data3

Ip add 192.168.4.0/24

!

What i need to achieve:

Scenario1:

1. Block all communication from VLAN1 to other VLANs(2,3,4).

2. Other VLANs(2,3,4) must have access to VLAN1.

Scenario2:

1.Block all communication from VLAN1 to other VLANs(2,3,4).

2. Other VLANs(2,3,4) must also not have access to VLAN1.

Can anyone help me to create acl or any other method to find a solution for it.

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎02-03-2017 02:28 AM

try add the acl to the vlan 2 interface as well

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎02-03-2017 01:11 AM

Hi

Scenario 2 = block vlan 1 speaking to each other vlan and then reverse it block vlan 2,3,4 speaking into vlan 1 , apply the acl to vlan 1 interface

from this you can easily work out scenario 1 if you need to , another way would be use vrfs as another solution

access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 108 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip any any

int vlan 1

ip access-group 108 in

ip access-group 108 out

0 Helpful

Go to solution
ittechk4u1
Level 4
Level 4
In response to Mark Malone

‎02-03-2017 02:01 AM

I think this for for scenario2:

access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 108 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip any any

int vlan 1

ip access-group 108 in

ip access-group 108 out

is it correct ?

what will be the acl for scenario1?

Thanks

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎02-03-2017 02:03 AM

that's exactly what I posted for scenario 2 , scenario 1 would have permit statements like below as its allowing to speak vlans 2,3,4 as you stated they must have access to vlan 1

access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip any any

int vlan 1

ip access-group 108 in

ip access-group 108 out

0 Helpful

Go to solution
ittechk4u1
Level 4
Level 4
In response to Mark Malone

‎02-03-2017 02:17 AM

Thanks again.

Scenario2 is working but not scenario1.

Here i did for scenario1:

access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip any any
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip access-group 108 in
 ip access-group 108 out
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
!

Output:

SWITCH#ping 192.168.2.254 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
!
!
!
SWITCH#ping 192.168.1.254 source vlan 2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
SWITCH#

Where i am doing the mistake ?

Thanks

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎02-03-2017 02:28 AM

try add the acl to the vlan 2 interface as well

0 Helpful

Go to solution
ittechk4u1
Level 4
Level 4
In response to Mark Malone

‎02-03-2017 02:36 AM

yes,now with this conifg, it is working:

access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip any any
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip access-group 108 in
 ip access-group 108 out
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
 ip access-group 108 in
 ip access-group 108 out
!

Thanks again.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎02-03-2017 02:38 AM

cool good stuff

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP

‎02-03-2017 02:36 AM

Other option is using Vlan ACLs.(VACL)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card