Solved: access and deny different v lan

piyush.mishra61 · ‎11-18-2015

Hi

I have a cisco 4507 .

different vlans are there for diff dept/nw

as 101 for a, 102 for b 103 for c, 104 s, 105 for t

the ip add of 105 is 172.16.0.1 255.255.0.0

the ip add for 104 is 10.1.0.1 255.255.255.240

my requirments are,

1.i dont want to give the access to vlan 104 from vlan 105,

2 but i need some specific end user in vlan 105 to access v lan 104,

if its possible kindly give the syntax..

Masoud Pourshabanian · ‎11-18-2015

Hello,

Access-list 110 permit ip 172.16.0.1 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]

Access-list 110 permit ip 172.16.0.2 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]

Access-list 110 permit ip 172.16.0.3 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]

Access-list 110 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.15 [others deny to 10.0.1.0]

Access-list 110 permit ip any any [ allowing other vlans traffic destined to vlan 104]

int vlan 104

ip access-group 110 in

Masoud

View solution in original post

Masoud Pourshabanian · ‎11-18-2015

Hello,

Access-list 110 permit ip 172.16.0.1 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]

Access-list 110 permit ip 172.16.0.2 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]

Access-list 110 permit ip 172.16.0.3 0.0.0.0 10.1.0.0 0.0.0.15 [ for some users to 10.0.1.0]

Access-list 110 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.15 [others deny to 10.0.1.0]

Access-list 110 permit ip any any [ allowing other vlans traffic destined to vlan 104]

int vlan 104

ip access-group 110 in

Masoud

piyush.mishra61 · ‎11-23-2015

thx masoud, ur answer helped me out..

thx to all of u for giving ur feedback..

Masoud Pourshabanian · ‎11-23-2015

You are welcome. I am happy it worked for you.

Masoud

paul driver · ‎11-18-2015

Hello

Try this:

Edited - I interpreted the OP traffic the wrong way around - which was hightighted to me by Masoud, so the changes are in bold

Example:
Denying vlan 105 to access vlan 104
Allow vlan 104 to access vlan 105
----------------------------------------------------

vlan 105= 172.16.0.1/24
vlan 104= 10.0.1.0/28

Ip access-list extended Stan_acl
Permit tcp 172.16.0.0 0.0.0.255 any established
deny tcp 172.16.0.0 0.0.0.255 any
permit ip any any

int vlan 104
Ip access-group Stan-acl Out

SVi logic -
------------------
IN= From within vlan going outside
OUT = Outside going into Vlan

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Masoud Pourshabanian · ‎11-18-2015

Hello Paul,

Please take a closer look at your answer. I know the question is a little confusing.

The question is some users from vlan 105 to 104. Yours is some users from vlan 104.

Best,

Masoud

paul driver · ‎11-18-2015

Hello Masoud -- Lol your correct-

I guess my misinterpretation of the OP strikes again!
Although the concept is applicable- I guess it needs to be amending

Cheer for highlighting this.

Much appreciated

Res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Masoud Pourshabanian · ‎11-18-2015

I did not want to be pedantic. I had hard time to interpret it as well.

Best,

Masoud

paul driver · ‎11-18-2015

Hello

Non taken-

As I have added the ACL logic to thse SVI's -
-
IN= From within vlan going outside
OUT = Outside going into Vlan

So giiven my posting and the acl logic:

- Permit any return tcp traffic from vlan105 initated from vlan 104
- deny any thing else from vlan 105
- allow access to anything else to/from vlan 104

hope this clears things up

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Masoud Pourshabanian · ‎11-18-2015

I think the problem still is misinterpretation of the question.

You supposed this:

Denying vlan 105 to access vlan 104
Allow vlan 104 to access vlan 105

while it should be this:

allowing only some users from vlan 105 to 104 [question2]

denying the rest of the users from vlan 105 to 104 [question 1]

allowing other vlans to access to vlan 104

Masoud

paul driver · ‎11-18-2015

Hello Masoud

That is correct - but what I was showing was mainly the concept of the svi logic and a generic way of proibiting access 1 way to/from a vlan.

If the OP understands that then they can easliy ammend the ACL to allow whatever access they desire.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Masoud Pourshabanian · ‎11-18-2015

I think out should be in. 172.16.0.0 are coming from 105 to vlan 104. Out means outgoing traffic from 104. We need to filter incoming traffic.

int vlan 104
Ip access-group Stan-acl Out to IN

res,

Masoud