cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2292
Views
10
Helpful
7
Replies

Restrict inter-VLAN routing

angristan
Level 1
Level 1

Hello,

 

Here is my topology:

Screenshot 2019-05-11 at 22.17.04.png

 

I have dynamic NAT on ffw.lim.rt01.

VLAN 10's gateway is 10.0.1.1 on ffw.lim.rt01's g0/1.10. VLAN 20's gateway is 10.0.1.17 on ffw.lim.rt01's g0/1.20.

Each VPCS can ping each other.

VPCS can ping 72.145.30.1 thanks to NAT.

 

I want my VPCS to still access to fai.rt01, but without being able to access each other, which is to say I want to restrict routing between VLAN 10 and VLAN 20.

 

on ffw.lim.rt01 I have tried this:

access-list 101 deny ip 10.1.1.17 0.0.0.7 10.0.1.1 0.0.0.15
access-list 101 permit ip any any

access-list 102 deny ip 10.0.1.1 0.0.0.15 10.0.1.17 0.0.0.7
access-list 102 permit ip any any

int g0/1.10
ip access-group 102 out
int g0/1.20
ip access-group 101 out

It does not do anything. When I remove "permit ip any any ", it works, except my VPCS can ping 72.145.30.1 anymore.

 

What am I missing? Is it related to the NAT?

1 Accepted Solution

Accepted Solutions

jurczak
Level 1
Level 1

Try changing the direction from out to in.

Also the source IP should be 10.0.1.0

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

High level  below ACL wrong

 

access-list 101 deny ip 10.1.1.17 0.0.0.7 10.0.1.1 0.0.0.15   <<-- this should be 10.0.1.17

 can you post the config  of switch and router to look again ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks, it does not change anything though.

 

By the way, I updated my message under the ACL ("It does not do anything. When I remove "permit ip any any ", it works, except my VPCS can ping 72.145.30.1 anymore.").

 

Here are the configs:

 

ffw.lim.rt01#show running-config
Building configuration...

Current configuration : 3963 bytes
!
! Last configuration change at 20:51:59 UTC Sat May 11 2019
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ffw.lim.rt01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
no process cpu autoprofile hog
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
no cdp run
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 72.145.30.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.0.1.1 255.255.255.240
 ip access-group 102 out
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.0.1.17 255.255.255.248
 ip access-group 101 out
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
!
!
access-list 1 permit 10.0.1.0 0.0.0.15
access-list 1 permit 10.0.1.16 0.0.0.7
access-list 101 deny   ip 10.0.1.16 0.0.0.7 10.0.1.0 0.0.0.15
access-list 102 deny   ip 10.0.1.0 0.0.0.15 10.0.1.16 0.0.0.7
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end
ffw.lim.sw01#sh run
Building configuration...

*May 11 20:54:18.539: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 4081 bytes
!
! Last configuration change at 20:54:18 UTC Sat May 11 2019
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname ffw.lim.sw01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
no ip routing
!
!
!
no ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/3
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/0
 switchport access vlan 20
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/1
 switchport access vlan 10
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/2
 switchport access vlan 10
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/3
 switchport access vlan 10
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet2/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet2/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet2/2
 media-type rj45
 negotiation auto
!
interface GigabitEthernet2/3
 media-type rj45
 negotiation auto
!
interface GigabitEthernet3/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet3/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet3/2
 media-type rj45
 negotiation auto
!
interface GigabitEthernet3/3
 media-type rj45
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan20
 no ip address
 no ip route-cache
 shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

Am i missing here some info ? where is your Default Gateway pointing to ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

On the router? I don't have one.

jurczak
Level 1
Level 1

Try changing the direction from out to in.

Also the source IP should be 10.0.1.0

Thank you very much.

 

This works:

 

access-list 101 deny ip 10.0.1.16 0.0.0.7 10.0.1.0 0.0.0.15
access-list 101 permit ip any any

access-list 102 deny ip 10.0.1.0 0.0.0.15 10.0.1.16 0.0.0.7
access-list 102 permit ip any any

int g0/1.10
ip access-group 102 in
int g0/1.20
ip access-group 101 in

I am glad I could help
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco