Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
5
Helpful
9
Replies

ACL question

raoul2341
Level 1
Level 1

‎11-30-2010 07:26 AM - edited ‎03-06-2019 02:16 PM

Hello

I am having a go at configuring ACL. The requirements are:

- I use a layer 3 switch for routing

- I have 4 Vlans on my network, Vlan1, Vlan2, Vlan3 and Vlan4

- Devices on Vlan4 should not be accessed by any device outside Vlan4, except for one device (e.g 192.168.4.22) that needs to be accessed by all Vlans

I have created the following extended ACL:

IP access list 100 permit ip any 192.168.4.22 0.0.0.0

(deny all will be implict)

and applied it on interface vlan4:

interface Vlan4
ip access-group 100 in

Does this do the job?

Many thanks

Labels:
0 Helpful
9 Replies 9

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎11-30-2010 08:03 AM 

Hello
I am having a go at configuring ACL. The requirements are:
- I use a layer 3 switch for routing
- I have 4 Vlans on my network, Vlan1, Vlan2, Vlan3 and Vlan4
- Devices on Vlan4 should not be accessed by any device outside Vlan4, except for one device (e.g 192.168.4.22) that needs to be accessed by all Vlans
I have created the following extended ACL:
IP access list 100 permit ip any 192.168.4.22 0.0.0.0 
(deny all will be implict)
and applied it on interface vlan4:
interface Vlan4
ip access-group 100 in
Does this do the job?
Many thanks


Hi,

You just change the acl with the below rule

IP access list 100 permit ip  host 192.168.4.22 any   and deny will be implicit when you apply on the vlan interface 4 in direction.

So with the above acl only host can communite with any network rest will be denied.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

raoul2341
Level 1
Level 1
In response to Shelley Bhalla

‎11-30-2010 10:14 AM

Hi Shelly

I don't seem to have the privileges to access the URLs. Could you please copy and paste the content.

Many thanks

Raoul

0 Helpful

raoul2341
Level 1
Level 1
In response to Ganesh Hariharan

‎11-30-2010 10:12 AM

Hi Ganesh

I think you misunderstood the requirements. What is needed:

vlan1, vlan2, vlan3  can access ONLY 192.168.4.22 on vlan4. All devices on Vlan4 can communicate with each other.

Thanks

Raoul

0 Helpful

Shelley Bhalla
Level 3
Level 3
In response to raoul2341

‎11-30-2010 10:25 AM

Yeah, Private Vlan's is what you need for what you are trying to do. I will attach the pdf version.

Try this:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

or search for :

"Configuring Isolated Private VLANs on Catalyst Switches" on Cisco.com.

Shelley.

Preview file
51 KB
0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to raoul2341

‎12-01-2010 07:45 AM 

Hi Ganesh
I think you misunderstood the requirements. What is needed:
vlan1, vlan2, vlan3  can access ONLY 192.168.4.22 on vlan4. All devices on Vlan4 can communicate with each other.
Thanks
Raoul


Hi Raoul,

Fo that you need to create different acl for vlan 1,vlan2 and vlan3 like for example

access-list 101 permit ip any host 192.168.4.22
access-list 101 deny  ip any vlan 4 subnet
access-list 101 permit ip any any

interface vlan 1
ip access-group 101 in

Same way you can create for other vlan2 and vlan 3 and apply in IN direction.But if you are comfortable with private vlans you can also go check out the below matirx supported for private vlan with cisco switches series

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Hope to Help !!

Ganesh.H

0 Helpful

mohamedtag
Level 1
Level 1
In response to Ganesh Hariharan

‎12-04-2010 11:01 AM

Dear Ganesh ,

I was following this Discussion and analyzing carefully your Posts to increase my ACL Conf. Skills , If you do not mind ,- untill Raoul update us whether what you suggested has resolved his Problem - i will just review below what i understood from your last Post , and Please update us with your comments:

According to your Post , If we Applied the following under Interface Vlan 1:

access-list 101 permit ip any host 192.168.4.22 ==== Line 1
access-list 101 deny  ip any vlan 4 subnet  ===== line 2
access-list 101 permit ip any any ==== Line 3

Then the Scenarios are as follows :

1 - Host from VLAN 1 trying to communicate with IP address 192.168.4.22 ( VLAN 4 ) will be matched with line 1 and will be Permitted.

2- Host from VLAN 1 trying to communicate with Host from VLAN 4 ( other than 192.168.4.22 ) will be matched with line 2 and will be Denied.

3 - Host from VLAN 2 trying to communicate with Host from VLAN 2 or VLAN 3 will be matched with Line 3 and will be Permitted.

Are the above Scenarios Right ?

Regards

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to mohamedtag

‎12-05-2010 06:13 AM 

Dear Ganesh ,
I
was following this Discussion and analyzing carefully your Posts to
increase my ACL Conf. Skills , If you do not mind ,- untill Raoul
update us whether what you suggested has resolved his Problem - i will
just review below what i understood from your last Post , and Please
update us with your comments:
According to your Post , If we Applied the following under Interface Vlan 1:
access-list 101 permit ip any host 192.168.4.22 ==== Line 1
access-list 101 deny  ip any vlan 4 subnet  ===== line 2
access-list 101 permit ip any any ==== Line 3
Then the Scenarios are as follows :
1
- Host from VLAN 1 trying to communicate with IP address 192.168.4.22 (
VLAN 4 ) will be matched with line 1 and will be Permitted.
2-
Host from VLAN 1 trying to communicate with Host from VLAN 4 ( other
than 192.168.4.22 ) will be matched with line 2 and will be Denied.
3 - Host from VLAN 2 trying to communicate with Host from VLAN 2 or VLAN 3 will be matched with Line 3 and will be Permitted.
Are the above Scenarios Right ?
Regards

Hi,

You are right the traffic which is orginating from vlan 1 will be affecting those line in acl applied in IN direction of vlan 1 interface.3 point will vlan 1 traffic permiited to talk to rest of the vlan apart from vlan 4 which is denied in second line.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to mohamedtag

‎12-05-2010 06:15 AM 

Dear Ganesh ,
I
was following this Discussion and analyzing carefully your Posts to
increase my ACL Conf. Skills , If you do not mind ,- untill Raoul
update us whether what you suggested has resolved his Problem - i will
just review below what i understood from your last Post , and Please
update us with your comments:
According to your Post , If we Applied the following under Interface Vlan 1:
access-list 101 permit ip any host 192.168.4.22 ==== Line 1
access-list 101 deny  ip any vlan 4 subnet  ===== line 2
access-list 101 permit ip any any ==== Line 3
Then the Scenarios are as follows :
1
- Host from VLAN 1 trying to communicate with IP address 192.168.4.22 (
VLAN 4 ) will be matched with line 1 and will be Permitted.
2-
Host from VLAN 1 trying to communicate with Host from VLAN 4 ( other
than 192.168.4.22 ) will be matched with line 2 and will be Denied.
3 - Host from VLAN 2 trying to communicate with Host from VLAN 2 or VLAN 3 will be matched with Line 3 and will be Permitted.
Are the above Scenarios Right ?
Regards

Hi,

You are right the traffic which is orginating from vlan 1 will be affecting those line in acl applied in IN direction of vlan 1 interface.3 point will vlan 1 traffic permiited to talk to rest of the vlan apart from vlan 4 which is denied in second line.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card