Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
3
Replies

Restrict IP's in VLAN from communicating while allowing others to communicate

Go to solution
lukesmiller
Level 1
Level 1

‎07-26-2019 05:53 PM

I have a 3750 IOS switch running 12.2

VLAN 10

 ip address 192.168.10.1 255.255.255.0

 

I want to allow the following IP's to talk to each other but block them from talking to any other IP in the VLAN - there are about 50 servers in the VLAN.

 

192.168.10.40

192.168.10.155

192.168.10.231

 

Thank you 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎07-27-2019 02:08 AM

Hello,

 

I have come up with the VACL below. Since you probably want to the hosts and the rest of Vlan 10 to access other servers within teh Vlan, as well as outside networks, the lines after the three permit statements have been added to circumvent the implicit 'deny all' at the end of the access list:

 

ip access-list extended VLAN_10_ACCESS
permit ip host 192.168.10.40 host 192.168.10.155
permit ip host 192.168.10.40 host 192.168.10.231
permit ip host 192.168.10.155 host 192.168.10.231
deny ip 192.168.10.0 0.0.0.255 host 192.168.10.40
deny ip 192.168.10.0 0.0.0.255 host 192.168.10.155
deny ip 192.168.10.0 0.0.0.255 host 192.168.10.231
permit ip 192.168.10.0 0.0.0.255 any

!

vlan access-map VACL_BLOCK 10
match ip address VLAN_10_ACCESS
action forward
!
vlan filter VACL_BLOCK vlan-list 10

View solution in original post

0 Helpful
3 Replies 3

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎07-26-2019 07:40 PM - edited ‎07-26-2019 07:50 PM

Hi @lukesmiller ,

 

In this case, I recommend that you leave those IPs on a different vlan than the other devices and apply an ACL to deny access to that vlan.

 

Regards

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-27-2019 01:29 AM

You can start with VLAN ACL (VACL)

 

below guide to start with :

 

https://networklessons.com/cisco/ccie-routing-switching/vlan-access-list-vacl

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎07-27-2019 02:08 AM

Hello,

 

I have come up with the VACL below. Since you probably want to the hosts and the rest of Vlan 10 to access other servers within teh Vlan, as well as outside networks, the lines after the three permit statements have been added to circumvent the implicit 'deny all' at the end of the access list:

 

ip access-list extended VLAN_10_ACCESS
permit ip host 192.168.10.40 host 192.168.10.155
permit ip host 192.168.10.40 host 192.168.10.231
permit ip host 192.168.10.155 host 192.168.10.231
deny ip 192.168.10.0 0.0.0.255 host 192.168.10.40
deny ip 192.168.10.0 0.0.0.255 host 192.168.10.155
deny ip 192.168.10.0 0.0.0.255 host 192.168.10.231
permit ip 192.168.10.0 0.0.0.255 any

!

vlan access-map VACL_BLOCK 10
match ip address VLAN_10_ACCESS
action forward
!
vlan filter VACL_BLOCK vlan-list 10

0 Helpful
Customers Also Viewed These Support Documents