cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1417
Views
10
Helpful
4
Replies

Block traffic for single vlan

SShaikh319
Level 1
Level 1

hello,

i have one cisco L3 switch with following configuration,

vlan 2: 192.168.2.1

vlan 3: 192.168.3.1

vlan 4: 192.168.4.1

I want to disable port2 to access vlan 3 only.  but access vlan 2 and 4.

kindly advice 

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

IN = Traffic originating from within the vlan interface
OUT = Traffic coming from outside vlan interface

 

Example : you can do  as below (if you looking to log for verification all working add log end of rule)


ip access-list extended VLAN2
deny ip 192.168.2.0 0.255.255.255 192.168.3.0 0.0.0.255
permit ip any any

interface vlan 2
ip access-list VLAN2 in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

- If You want to disable a port then first add that port in a VLAN , Let's say you added , port 2 in VLAN 5 : 192.168.5.1 ( you can add the port in a new VLAN or can add it in any existing VLAN as per your requirement ) .

  int f0/2

switchport mode access

switchport access vlan 5 

Now the port is added in Vlan 5

Now we can use an ACL to block VLAN 5 from accessing VLAN 3 , but will be allowed to Access VLAN 2 , VLAN 4

ip access-list extended deny_VLAN

deny ip 192.168.5.0 0.255.255.255 192.168.3.0 0.0.0.255 ( this command will deny the Vlan 5( containing port2 from accessing VLAN 3) 

permit ip any any ( rest all Vlans will be accessible ) 

int vlan 5

ip access-group deny_VLAN in ( calling the ACL on the interface )

 

Spooster IT Services Team

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

IN = Traffic originating from within the vlan interface
OUT = Traffic coming from outside vlan interface

 

Example : you can do  as below (if you looking to log for verification all working add log end of rule)


ip access-list extended VLAN2
deny ip 192.168.2.0 0.255.255.255 192.168.3.0 0.0.0.255
permit ip any any

interface vlan 2
ip access-list VLAN2 in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I want to disable port2 to access vlan 3 only.  but access vlan 2 and 4.

After another look -  are you looking port2 (or is this read as vlan 2 ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

port2 must first assign to VLAN and then you use ACL under VLAN direction IN to filter which VLAN can access and which can not.

- If You want to disable a port then first add that port in a VLAN , Let's say you added , port 2 in VLAN 5 : 192.168.5.1 ( you can add the port in a new VLAN or can add it in any existing VLAN as per your requirement ) .

  int f0/2

switchport mode access

switchport access vlan 5 

Now the port is added in Vlan 5

Now we can use an ACL to block VLAN 5 from accessing VLAN 3 , but will be allowed to Access VLAN 2 , VLAN 4

ip access-list extended deny_VLAN

deny ip 192.168.5.0 0.255.255.255 192.168.3.0 0.0.0.255 ( this command will deny the Vlan 5( containing port2 from accessing VLAN 3) 

permit ip any any ( rest all Vlans will be accessible ) 

int vlan 5

ip access-group deny_VLAN in ( calling the ACL on the interface )

 

Spooster IT Services Team
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: