Solved: Block traffic for single vlan

SSibu · ‎11-22-2022

hello,

i have one cisco L3 switch with following configuration,

vlan 2: 192.168.2.1

vlan 3: 192.168.3.1

vlan 4: 192.168.4.1

I want to disable port2 to access vlan 3 only. but access vlan 2 and 4.

kindly advice

balaji.bandi · ‎11-22-2022

IN = Traffic originating from within the vlan interface
OUT = Traffic coming from outside vlan interface

Example : you can do as below (if you looking to log for verification all working add log end of rule)

ip access-list extended VLAN2
deny ip 192.168.2.0 0.255.255.255 192.168.3.0 0.0.0.255
permit ip any any

interface vlan 2
ip access-list VLAN2 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Spooster IT Services · ‎11-23-2022

- If You want to disable a port then first add that port in a VLAN , Let's say you added , port 2 in VLAN 5 : 192.168.5.1 ( you can add the port in a new VLAN or can add it in any existing VLAN as per your requirement ) .

int f0/2

switchport mode access

switchport access vlan 5

Now the port is added in Vlan 5

Now we can use an ACL to block VLAN 5 from accessing VLAN 3 , but will be allowed to Access VLAN 2 , VLAN 4

ip access-list extended deny_VLAN

deny ip 192.168.5.0 0.255.255.255 192.168.3.0 0.0.0.255 ( this command will deny the Vlan 5( containing port2 from accessing VLAN 3)

permit ip any any ( rest all Vlans will be accessible )

int vlan 5

ip access-group deny_VLAN in ( calling the ACL on the interface )

Spooster IT Services Team

View solution in original post

balaji.bandi · ‎11-22-2022

IN = Traffic originating from within the vlan interface
OUT = Traffic coming from outside vlan interface

Example : you can do as below (if you looking to log for verification all working add log end of rule)

ip access-list extended VLAN2
deny ip 192.168.2.0 0.255.255.255 192.168.3.0 0.0.0.255
permit ip any any

interface vlan 2
ip access-list VLAN2 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎11-22-2022

I want to disable port2 to access vlan 3 only.  but access vlan 2 and 4.

After another look - are you looking port2 (or is this read as vlan 2 ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎11-22-2022

port2 must first assign to VLAN and then you use ACL under VLAN direction IN to filter which VLAN can access and which can not.

Spooster IT Services · ‎11-23-2022

- If You want to disable a port then first add that port in a VLAN , Let's say you added , port 2 in VLAN 5 : 192.168.5.1 ( you can add the port in a new VLAN or can add it in any existing VLAN as per your requirement ) .

int f0/2

switchport mode access

switchport access vlan 5

Now the port is added in Vlan 5

Now we can use an ACL to block VLAN 5 from accessing VLAN 3 , but will be allowed to Access VLAN 2 , VLAN 4

ip access-list extended deny_VLAN

deny ip 192.168.5.0 0.255.255.255 192.168.3.0 0.0.0.255 ( this command will deny the Vlan 5( containing port2 from accessing VLAN 3)

permit ip any any ( rest all Vlans will be accessible )

int vlan 5

ip access-group deny_VLAN in ( calling the ACL on the interface )

Spooster IT Services Team