Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1913
Views
5
Helpful
6
Replies

Config deny VLAN

Go to solution
adamlee1811
Level 1
Level 1

‎04-05-2022 09:12 AM

I want to config GNS3 that Hosts in VLAN 10 are not allowed to access hosts in VLAN 30

How should I config that?

Here is my diagram

Capture.JPG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to adamlee1811

‎04-05-2022 09:51 AM - edited ‎04-05-2022 09:52 AM

 

Depends on what you wanted vlan 10 to be able to access so - 

 

access-list 101 deny ip 172.10.55.0 0.0.0.255 172.30.55.0 0.0.0.255
access-list 101 permit ip 172.10.55.0 0.0.0.255 172.20.55.0 0.0.0.255 
access-list 101 deny  ip 172.10.55.0 any

 

in the above the only subnet 172.10.55.0/24 can communicate with is 172.20.55.0/24 and then the last line is for internet ie. any other traffic. 

 

So if there were additional subnets you wanted to allow you would need to add after the permit line above but before the last line as acls are processed in order. 

 

Jon

View solution in original post

6 Replies 6

Go to solution
adamlee1811
Level 1
Level 1

‎04-05-2022 09:13 AM

Sorry, maybe you see me posting the same network map too many times. My loved one just passed away so I wasn't in the mood to do my homework, I just wanted to finish it quickly. I can leave it but this is a group exercise so I need to take responsibility for it. SO help me if you can. Thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-05-2022 09:27 AM

 

You can apply the following configuration to R3 - 

 

access-list 101 deny ip 172.10.55.0 0.0.0.255 172.30.55.0 0.0.0.255
access-list 101 permit ip 172.10.55.0 any

 

int fa0/0.10
ip access-group 101 in

 

Jon

0 Helpful

Go to solution
adamlee1811
Level 1
Level 1
In response to Jon Marshall

‎04-05-2022 09:43 AM

It works, thank. How about Hosts belonging to VLAN 10 are not allowed to access the internet?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to adamlee1811

‎04-05-2022 09:51 AM - edited ‎04-05-2022 09:52 AM

 

Depends on what you wanted vlan 10 to be able to access so - 

 

access-list 101 deny ip 172.10.55.0 0.0.0.255 172.30.55.0 0.0.0.255
access-list 101 permit ip 172.10.55.0 0.0.0.255 172.20.55.0 0.0.0.255 
access-list 101 deny  ip 172.10.55.0 any

 

in the above the only subnet 172.10.55.0/24 can communicate with is 172.20.55.0/24 and then the last line is for internet ie. any other traffic. 

 

So if there were additional subnets you wanted to allow you would need to add after the permit line above but before the last line as acls are processed in order. 

 

Jon

Go to solution
adamlee1811
Level 1
Level 1
In response to Jon Marshall

‎04-05-2022 10:02 AM

Thank you so much. I think I got it. I will config it now and have time for my family. 

0 Helpful

Go to solution
David Ruess
VIP
VIP

‎04-05-2022 09:33 AM - edited ‎04-05-2022 09:37 AM

You could implement an ACL on both VLANS (since you can only do either in out out on a specific interface)

 

On the router create 2 access lists 10 and 20. Then apply them to the respective interface.

 

access-list 10 deny 172.30.55.0 0.0.0.255
access-list 10 permit any any

access-list 20 deny 172.10.55.0 0.0.0.255
access-list 20 permit any any

 

interface vlan 10

ip access-group 10 out

 

interface vlan 20

ip access-group 20 out

 

 

This is to block each VLAN from reaching each other. If you just need one to not reach the other you should be able to apply jsut the ACL you need to prevent traffic from based on the IP.

 

0 Helpful
Top