Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
1
Helpful
3
Replies

separating/isolating a vlan

Go to solution
roncro
Level 3
Level 3

‎02-17-2024 03:28 PM - last edited on ‎02-18-2024 10:17 PM by Community Manager

Hello, 

if I want to separate/segregate one vlan (vlan10) from everything else, I think I can use an access-list like:

access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.1 0.0.0.0  correct?

The idea is that any ip in the 192.168.10.0 network is allowed, and the only other host is the router (192.168.1.1) or is there a better way  to do this on a Cisco 2951? (I put 192.168.1.1 in that list because I do not want to break connection to the internet/wan for machines in vlan10)

 

Ron

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to roncro

‎02-18-2024 12:47 AM

Hello Ron
Yes that looks like it should do it.

FYI - the acl logic applied to an SVI on a switch.
IN = traffic originating from withIN vlan
OUT=  traffic originating from OUT the vlan


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

3 Replies 3

Go to solution
paul driver
VIP
VIP

‎02-17-2024 03:46 PM - last edited on ‎02-18-2024 10:15 PM by Community Manager

Hello

Example:
ip access-list extended novlans 
deny ip any 10.10.5.0 0.0.0.255 < vlan 5>
deny ip any 10.10.6.0 0.0.0.255 < vlan 6>
etc..
permit ip any any

Int vlan 10
ip access-group novlans IN


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
roncro
Level 3
Level 3
In response to paul driver

‎02-17-2024 04:08 PM - last edited on ‎02-18-2024 10:19 PM by Community Manager

Hello Paul,

so I have to mention every other vlan?  or could I do something like:

 

ip access-list extended noothervlans

permit ip any 10.10.10.0 0.0.0.255 <vlan 10>


deny ip any 10.10.0.0 0.0.255.255 <all 'other' vlans>


permit ip any any




Int vlan 10

ip access-group noothervlans IN

 

I wonder if access-list work in a "linux pam" way, or iptables,  applying the first rule, top down, that applies. (in this case you'd hit "if you're in 10.10.10.0 you're good to go"  if not, next rule,  "anything else in private space can't go there".

The example you gave undoubtedly works,  but whenever I create a new vlan, I have to not forget adding it to the vlan 10 access-list, that's why I'd like/prefer a "access only for this subnet/vlan" rule instead of  denying everything else.

Can that be done?

thanks,

Ron

 

 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to roncro

‎02-18-2024 12:47 AM

Hello Ron
Yes that looks like it should do it.

FYI - the acl logic applied to an SVI on a switch.
IN = traffic originating from withIN vlan
OUT=  traffic originating from OUT the vlan


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card