Re: Block Intervlan communication except one specific IP/host

sajidkk2013 · ‎11-07-2019

Hello Mates,

Here in ACL, I permitted one host and then deny all subnets from this, which didnt work for me. I believe there is eomthing i need to do more.

Vlan 10 = 192.168.10.0/24

vlan 20 = 192.168.20.0/24

vlan 30 = 192.168.30.0/24

Extended IP access list TEST

10 deny ip any 192.168.30.0 0.0.0.255 (5 match(es))

20 permit ip host 192.168.20.2 host 192.168.10.2 <<<<<here it tried one source host and one destination host to communicate to each other but all others will block>>>>>>>>>>>

30 deny ip any 192.168.20.0 0.0.0.255 (29 match(es))

40 permit ip any any (151 match(es))

Mean to say how can I deny all ip's from one subnet except one so that device can communicate to another specific computer.

Thanks in Advance.

Jon Marshall · ‎11-07-2019

Where are you applying the acl ?

Jon

sajidkk2013 · ‎11-09-2019

Hello,

I am applying at int vlan 10.

so vlan 20 and vlan 30 will not communicate with vlan 10

But my target is to allow one specific to communicate.

thanks

Richard Burts · ‎11-10-2019

@Jon Marshall asks one important question which is about where the ACL is applied. The other important question is about which direction the ACL is applied (is it applied inbound or applied outbound).

It seems to me that there is confusion in your ACL about the direction it is to be applied:

- your 2 deny statements seem to assume that the ACL would be applied inbound since the denied networks are destination addresses and are remote from the connected interface vlan 10.

- But the permit statement seems to assume that the ACL would be applied outbound since the permitted local address is the destination address.

HTH

Rick

HTH

Rick