11-18-2015 12:58 PM - edited 03-08-2019 02:45 AM
Hi
I have a cisco 4507 .
different vlans are there for diff dept/nw
as 101 for a, 102 for b 103 for c, 104 s, 105 for t
the ip add of 105 is 172.16.0.1 255.255.0.0
the ip add for 104 is 10.1.0.1 255.255.255.240
my requirments are,
1.i dont want to give the access to vlan 104 from vlan 105,
2 but i need some specific end user in vlan 105 to access v lan 104,
if its possible kindly give the syntax..
Solved! Go to Solution.
11-18-2015 01:52 PM
11-18-2015 01:52 PM
Hello,
Access-list 110 permit ip 172.16.0.1 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]
Access-list 110 permit ip 172.16.0.2 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]
Access-list 110 permit ip 172.16.0.3 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]
Access-list 110 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.15 [others deny to 10.0.1.0]
Access-list 110 permit ip any any [ allowing other vlans traffic destined to vlan 104]
int vlan 104
ip access-group 110 in
Masoud
11-23-2015 12:16 PM
thx masoud, ur answer helped me out..
thx to all of u for giving ur feedback..
11-23-2015 02:03 PM
You are welcome. I am happy it worked for you.
Masoud
11-18-2015 02:04 PM
Hello
Try this:
Edited - I interpreted the OP traffic the wrong way around - which was hightighted to me by Masoud, so the changes are in bold
Example:
Denying vlan 105 to access vlan 104
Allow vlan 104 to access vlan 105
----------------------------------------------------
vlan 105= 172.16.0.1/24
vlan 104= 10.0.1.0/28
Ip access-list extended Stan_acl
Permit tcp 172.16.0.0 0.0.0.255 any established
deny tcp 172.16.0.0 0.0.0.255 any
permit ip any any
int vlan 104
Ip access-group Stan-acl Out
SVi logic -
------------------
IN= From within vlan going outside
OUT = Outside going into Vlan
res
Paul
11-18-2015 02:04 PM
Hello Paul,
Please take a closer look at your answer. I know the question is a little confusing.
The question is some users from vlan 105 to 104. Yours is some users from vlan 104.
Best,
Masoud
11-18-2015 02:17 PM
Hello Masoud -- Lol your correct-
I guess my misinterpretation of the OP strikes again!
Although the concept is applicable- I guess it needs to be amending
Cheer for highlighting this.
Much appreciated
Res
Paul
11-18-2015 02:28 PM
I did not want to be pedantic. I had hard time to interpret it as well.
Best,
Masoud
11-18-2015 02:51 PM
Hello
Non taken-
As I have added the ACL logic to thse SVI's -
-
IN= From within vlan going outside
OUT = Outside going into Vlan
So giiven my posting and the acl logic:
- Permit any return tcp traffic from vlan105 initated from vlan 104
- deny any thing else from vlan 105
- allow access to anything else to/from vlan 104
hope this clears things up
res
Paul
11-18-2015 03:00 PM
I think the problem still is misinterpretation of the question.
You supposed this:
Denying vlan 105 to access vlan 104
Allow vlan 104 to access vlan 105
while it should be this:
allowing only some users from vlan 105 to 104 [question2]
denying the rest of the users from vlan 105 to 104 [question 1]
allowing other vlans to access to vlan 104
Masoud
11-18-2015 03:08 PM
Hello Masoud
That is correct - but what I was showing was mainly the concept of the svi logic and a generic way of proibiting access 1 way to/from a vlan.
If the OP understands that then they can easliy ammend the ACL to allow whatever access they desire.
res
Paul
11-18-2015 02:40 PM
I think out should be in. 172.16.0.0 are coming from 105 to vlan 104. Out means outgoing traffic from 104. We need to filter incoming traffic.
int vlan 104
Ip access-group Stan-acl Out to IN
res,
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Hello,
Access-list 110 permit ip 172.16.0.1 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]
Access-list 110 permit ip 172.16.0.2 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]
Access-list 110 permit ip 172.16.0.3 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]
Access-list 110 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.15 [others deny to 10.0.1.0]
Access-list 110 permit ip any any [ allowing other vlans traffic destined to vlan 104]
int vlan 104
ip access-group 110 in
Masoud