cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
11
Replies

access and deny different v lan

piyush.mishra61
Level 1
Level 1

Hi

I have a cisco 4507 . 

different vlans are there for diff dept/nw

as 101 for a, 102 for b 103 for c, 104 s, 105 for t

 the ip add of 105 is 172.16.0.1 255.255.0.0

the ip add for 104 is 10.1.0.1 255.255.255.240

my requirments are,

1.i dont want to give the access to vlan 104 from vlan 105,

2 but i need some specific end user in vlan 105 to access v lan 104,

if its possible kindly give the syntax..

1 Accepted Solution

Accepted Solutions

Hello,

Access-list 110 permit ip  172.16.0.1 0.0.0.0 10.1.0.0 0.0.0.15  [ for some users to 10.0.1.0]

Access-list 110 permit ip  172.16.0.2 0.0.0.0 10.1.0.0 0.0.0.15  [ for some users to 10.0.1.0]

Access-list 110 permit ip  172.16.0.3 0.0.0.0 10.1.0.0 0.0.0.15   [ for some users to 10.0.1.0]

Access-list 110 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.15  [others deny to 10.0.1.0]

Access-list 110 permit ip any any [ allowing other vlans traffic destined to vlan 104]

int vlan 104

    ip access-group 110 in

Masoud

View solution in original post

11 Replies 11

Hello,

Access-list 110 permit ip  172.16.0.1 0.0.0.0 10.1.0.0 0.0.0.15  [ for some users to 10.0.1.0]

Access-list 110 permit ip  172.16.0.2 0.0.0.0 10.1.0.0 0.0.0.15  [ for some users to 10.0.1.0]

Access-list 110 permit ip  172.16.0.3 0.0.0.0 10.1.0.0 0.0.0.15   [ for some users to 10.0.1.0]

Access-list 110 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.15  [others deny to 10.0.1.0]

Access-list 110 permit ip any any [ allowing other vlans traffic destined to vlan 104]

int vlan 104

    ip access-group 110 in

Masoud

thx masoud, ur answer helped me out..

thx to all of u for giving ur feedback..

You are welcome. I am happy it worked for you.

Masoud

Hello

Try this:

Edited - I interpreted the OP traffic the wrong way around - which was hightighted to me by Masoud, so the changes are in bold

Example:
Denying vlan 105 to access vlan 104
Allow vlan 104 to access vlan 105
----------------------------------------------------


vlan 105= 172.16.0.1/24
vlan 104= 10.0.1.0/28

Ip access-list extended Stan_acl
Permit tcp 172.16.0.0 0.0.0.255 any established
deny tcp 172.16.0.0 0.0.0.255 any
permit ip any any


int vlan 104
Ip access-group Stan-acl Out

SVi logic -
------------------
IN= From within vlan going outside
OUT = Outside going into Vlan


res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Paul,

Please take a closer look at your answer. I know the question is a little confusing.

The question is some users from vlan 105 to 104. Yours is some users from vlan 104.

Best,

Masoud

Hello Masoud -- Lol your correct-

I guess my misinterpretation of the OP strikes again!
Although the concept is applicable- I guess it needs to be amending

Cheer for highlighting this.

Much appreciated

Res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I did not want to be pedantic. I had hard time to interpret it as well.

Best,

Masoud

Hello

Non taken-

As I have added the ACL logic  to thse SVI's -
-
IN= From within vlan going outside
OUT = Outside going into Vlan

So giiven my posting and the acl logic:

 - Permit any return tcp traffic from vlan105 initated from vlan 104
 - deny any thing else from vlan 105
 - allow access to anything else to/from vlan 104

hope this clears things up

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I think the problem still is misinterpretation of the question.

You supposed this:

Denying vlan 105 to access vlan 10
Allow vlan 104 to access vlan 10

while it should be this:

allowing only some users from vlan 105 to 104 [question2]

denying the rest of the users from vlan 105 to 104 [question 1]

allowing other vlans to access to vlan 104

Masoud

Hello Masoud

That is correct - but what I was showing was mainly the concept of the svi logic and a generic way of proibiting access 1 way to/from a vlan.

If the OP understands that then they can easliy ammend the ACL to allow whatever access they desire.

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I think out should be in. 172.16.0.0 are coming from 105 to vlan 104. Out means outgoing traffic from 104. We need to filter incoming traffic.

int vlan 104
Ip access-group Stan-acl Out  to IN

res,

Masoud

Review Cisco Networking products for a $25 gift card