Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
4
Replies

ACL help

kartik.shah1
Level 1
Level 1

‎07-21-2016 02:46 AM - edited ‎03-08-2019 06:43 AM

Hi,

I have two Cisco 3750 catalyst switches running in stack. Here i have vlan 15 for management, vlan 16 for server. I have user vlans - 201,202, 203 & 205. Inter vlan routing is enable on cisco switch. Now all users can access my servers and other management devices as intervlan routing is enable. Can any one guide me how i can add access control list to deny the access of vlan 15 & 16.

Regards,,

Labels:
0 Helpful
4 Replies 4

Mark Malone
VIP Alumni
VIP Alumni

‎07-21-2016 03:35 AM

Hi This is just an example you can block the subnets on the vlan interfaces from speaking to each other

block each subnet in and out but allow everything else , add it to each vlan you require

Interface vlan 201

ip access-group VLANACL in

ip access-group VLANACL out

Interface vlan 202

ip access-group VLANACL in

ip access-group VLANACL out

ip access-list extend VLANACL

10 deny ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255 --vlan 201 not speak to 202

20 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255--vlan 202 not speak to 203

30 permit ip any any

0 Helpful

kartik.shah1
Level 1
Level 1
In response to Mark Malone

‎07-21-2016 03:42 AM

Hi Mark Malone,

Thank you for Support !

i have not configured interface vlan for vlan 201,202 & 203. Thing is that Users in vlan 201,202 & 203 should not get access of vlan 15 & vlan 16.

regards,

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to kartik.shah1

‎07-21-2016 05:34 AM

Hi

so where do the vlans break out of no SVI ? is it through sub-ints on the router side ?

if your going to stop vlans speaking to each other by ip it needs to be done at the SVI Vlan interface/sub-interface as its ip based interface , if you don't have vlan interfaces and your trying to block at layer 2 you would need to block by macs with mac acl or vlan acl if supported

Or use private vlans to stop them speaking to each other is another option

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_50_se/configuration/guide/scg/swpvlan.pdf

vacl if your device supports it may work for you but not all platforms support it

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_vlanacls.pdf

0 Helpful

kartik.shah1
Level 1
Level 1
In response to Mark Malone

‎07-21-2016 06:06 AM

Hi Mark Malone,

Scenario is on vlan 201,202,203 are individually connected to PPPOE server.

Users are getting PPPOE IP from this. So is there any other way we can use access list?

Regards,,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card