Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
1
Helpful
8
Replies

ACLs

RaymondBui97693
Level 1
Level 1

‎07-12-2023 07:25 AM

I am trying to lock down some VLANs on a Cisco Cataylst 3850 with IOS XE 16.12.9 Gibraltar

I need vlan 101 to talk to 102 and 103 and get out to the internet

I need 103 to only talk to 101 and 102 with no internet

I tried to apply this ACL to 103 but can still ping everything

ip access-list extended 103
permit ip any 192.168.101.0 0.0.0.255
permit ip any 192.168.102.0 0.0.0.255
deny ip any any

interface vlan 103
ip access group 103 in
Labels:
8 Replies 8

MHM Cisco World
VIP
VIP

‎07-12-2023 08:21 AM 

ip access-list extended 103
permit ip any 192.168.101.0 0.0.0.255
permit ip any 192.168.102.0 0.0.0.255
deny ip any any

interface vlan 103
ip access group 103 OUT
0 Helpful

M02@rt37
VIP
VIP

‎07-12-2023 08:27 AM

hello @RaymondBui97693,

ip access-list extended 101
permit ip any any

ip access-list extended 103
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.102.0 0.0.0.255 any
deny ip any any

interface Vlan101
ip access-group 101 in

interface Vlan103
ip access-group 103 in

 

With this configuration, VLAN 101 has unrestricted access to communicate with VLANs 102 and 103, as well as access to the internet. On the other hand, VLAN 103 is limited to communication with VLANs 101 and 102 but does not have internet access.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎07-12-2023 10:57 AM - edited ‎07-12-2023 11:35 AM

There is nothing wrong with your configuration ie. it should work because the acl is correct and is applied in the correct direction. 

Is there any other path the clients could take to get to the internet,  are you running HSRP etc. ? 

Jon

0 Helpful

RaymondBui97693
Level 1
Level 1
In response to Jon Marshall

‎07-18-2023 06:11 AM

Jon:

All our sites are connected via SD-WAN. 

0 Helpful

johnlloyd_13
Level 9
Level 9

‎07-12-2023 03:41 PM

hi,

you can try using private VLAN config.

0 Helpful

RaymondBui97693
Level 1
Level 1

‎07-13-2023 07:01 AM

Is there a way to block ping to all the vlans. We want to confirm that there is no communication via ping. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to RaymondBui97693

‎07-13-2023 07:10 AM

meaning between all VLAN ? 
if yes 
vlan x
ip add x.x.x.x 
ip access-group icmp IN

ip access-list icmp

deny icmp x.x.x.x any 
permit ip any any 

that it 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to RaymondBui97693

‎07-13-2023 07:11 AM - edited ‎07-13-2023 07:13 AM

If you want to block ping  from 192.168.103.x to 192.168.101.x and 192.168.102.x add these lines at the top of your 103 acl - 

deny icmp any 192.168.101.x echo 
deny icmp any 192.168.102.x echo

as I said previously your configuration is correct so something else is happening here.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card