Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12070
Views
0
Helpful
5
Replies

Access list for VLAN blocking

sandeepchulliyial
Level 1
Level 1

‎11-06-2017 12:14 AM - edited ‎03-08-2019 12:38 PM

hi,

 

I need to setup an acl for Vlan blocking. i have configured vlan 10 & vlan 20. what is my requirement is vlan 10 should not communicate to vlan 20 but from vlan 20 should communicate with vlan10

 

i have created a extended access list like this and mapped in vlan 10 interface but its blocking two way,

i cant ping from vlan 20 to vlan 10

 

Extended IP access list VLAN_10

10 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

20 permit ip any any

 

ip access-group VLAN_10 in

 

looking forward...

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎11-06-2017 05:06 PM

Hi

You can't do that only using simple extended acls as you'll have a broken communication.
You can achieve that using zbf features or reflexive acl.
I drop you a good document explaining how it works (very simple):
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/

Take a look and let me know if you have issues or need assistance to build the acls.



Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

paul driver
VIP
VIP

‎11-07-2017 04:45 PM - edited ‎11-07-2017 04:49 PM

Francesco Molino wrote:

You can't do that only using simple extended acls as you'll have a broken communication.
You can achieve that using zbf features or reflexive acl.
I drop you a good document explaining how it works (very simple):
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/

Take a look and let me know if you have issues or need assistance to build the acls.


Hello

You can do this but you need to allow established traffic intiated from vlan 10 towards vlan 20 to return.

 

ip access-list extended STAN
permit tcp 192.168.20.0 0.0.0.255 any established
deny tcp 192.168.20.0 0.0.0.255 any 
permit ip any any

int vlan 10
ip access-group STAN OUT

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to paul driver

‎11-07-2017 04:54 PM

Hi

Yes you're right but that works only for tcp and i didn't purposed that solution because i was taking into account udp traffic as well.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

sandeepchulliyial
Level 1
Level 1
In response to Francesco Molino

‎11-08-2017 02:21 AM

Hi Paul,

 

Thanks now its working, This is the ACL i have just written .

is it block my udp connections.

 

Extended IP access list BLOCK

10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established

20 permit icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply

30 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

40 permit ip any any

 

Vlan 20

ip access group BLOCK in 

0 Helpful

sandeepchulliyial
Level 1
Level 1
In response to paul driver

‎11-07-2017 09:56 PM

Hi Paul,

 

I checked the solution as you said but its not working, it's allows two way ip communication.

 

0 Helpful
Customers Also Viewed These Support Documents