04-08-2018 07:05 AM - edited 03-08-2019 02:34 PM
I have a L3 Switch 3850 with 12 vlans namely vlan1, vlan2...vlan11, vlan12.
I want unrestricted access among first 10 vlans (vlan1 to vlan10). I will not define any ACL for these vlans.
Vlan 11 and vlan12 should communicate with each other but these two vlans should not communicate with vlan1 to vlan10 (10 vlans).
How can I define the ACL's to achieve the above objective?
04-08-2018 09:00 AM
Hello,
the below should work (additional lines in bold are added for Internet access, if you don't need Internet access, don't configure the lines in bold):
access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.255.255
access-list 111 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.255.255
access-list 111 deny ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.255
access-list 111 deny ip 192.168.0.0 0.0.255.255 192.168.12.0 0.0.255
access-list 111 permit ip any any
interface Vlan 11
ip address 192.168.11.1 255.255.255.0
ip access-group 111 in
interface Vlan 12
ip address 192.168.12.1 255.255.255.0
ip access-group 111 in
04-11-2018 07:01 AM
Assuming 192.168.11.0 belong to vlan 11 and 192.168.12.0 belong to vlan 12, can I achieve using the following ACL?
access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 deny ip any any
access-list 112 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 112 deny ip any any
interface Vlan 11
ip address 192.168.11.1 255.255.255.0
ip access-group 111 in
interface Vlan 12
ip address 192.168.12.1 255.255.255.0
ip access-group 112 in
04-08-2018 09:02 AM
The SVIs for 11 and 12 need to have Inbound ACL to allow communication between them and deny communications to vlan 1-10.
HTH
04-11-2018 07:37 AM
04-14-2018 02:24 AM
That means I need to define ACL in both ingress and egress direction?
Please share some example ACL for SVI on L3 switch
04-16-2018 05:41 AM
04-16-2018 06:12 AM
I need to make more restrictive ACL. Consider an example of host A in vlan 200 and host B in vlan 100 and I want to allow http from host A to host B. Is my following ACL setup right?
ip access-list extended VLAN-200-IN
permit tcp host A host B eq www
deny ip any any
ip access-list extended VLAN-200-OUT
permit tcp host B eq www host A gt 1024
deny ip any any
Interface vlan200
ip access-group VLAN-200-IN
ip access-group VLAN-200-OUT
04-16-2018 06:56 AM
04-17-2018 02:27 AM
04-17-2018 07:43 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide