simply, i need to deny all

ahmedhmedat20101 · ‎01-09-2017

shortly in this network , it content 15 vlan ,

vlan 4 management 10.0.4.0 255.255.252.0

vlan 8 voice 10.0.8.0 255.255.252.0

vlan 12 wireless 10.0.12.0 255.255.252.0

vlan 16 BMS 10.0.16.0 255.255.252.0

.... ect .. vlan 60

how to permit vlan 4 (management) to access to other vlans (8,12,...,60)

and deny other vlans ((8,12,...,60) to access to vlan 4 (management)

knowing that i configured all vlan in catalyst core switch ( 3850 )

Thanks all in advance.

blau grana · ‎01-09-2017

Hi,

I think simple ACL should do the job. Do you have specific requirements which traffic you want to permit/deny?

Example of allowing telnet/www return traffic traffic

Switch(config)# access-list 101 permit tcp 10.0.0.0 0.0.255.255 10.0.4.0 0.0.3.255 eq telnet established
Switch(config)# access-list 101 permit tcp 10.0.0.0 0.0.255.255 10.0.4.0 0.0.3.255 eq www established
Switch(config)# interface vlan 4
Switch(config-if)# ip access-group 101 out

For non-tcp traffic you have to specify all traffic flows which you want to permit/deny.

Best Regards Please rate all helpful posts and close solved questions

ahmedhmedat20101 · ‎01-09-2017

simply, i need to deny all traffic from vlans to vlan 4

and permit traffic from vlan 4 to other vlans

paul driver · ‎01-10-2017

Hello
The previous ACL provided and applied to the SVI of vlan 10 will allow you to do this.
You can even go further and negate even ping if you desire.

vlan 4= 4.4.4.0/24
vlan 8= 8.8.8.0/24 <---deny
vlan 12= 12.12.12.0/24<---deny
vlan 16= 16.16.16.0/24<---deny

Ip access-list extended STAN
deny tcp 8.8.8.0 0.0.0.255 any
deny tcp 12.12.12.0 0.0.0.255 any
deny tcp 16.16.16.0 0.0.0.255 any
permit ip any any

int vlan 4
Ip access-group STAN out

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ahmedhmedat20101 · ‎01-10-2017

thank paul,

i tried your solution, but no deny any packet

paul driver · ‎01-09-2017

Hello
You could use RACLs for the tcp connections

vlan 4= 4.4.4.0/24
vlan 8= 8.8.8.0/24
vlan 12= 12.12.12.0/24
vlan 16= 16.16.16.0/24

Ip access-list extended STAN
Permit tcp 8.8.8.0 0.0.0.255 any established <---allows echo reply
deny tcp 8.8.8.0 0.0.0.255 any
Permit tcp 12.12.12.0 0.0.0.255 any established
deny tcp 12.12.12.0 0.0.0.255 any
Permit tcp 16.16.16.0 0.0.0.255 any established
deny tcp 16.16.16.0 0.0.0.255 any
permit ip any any

int vlan 4
Ip access-group STAN out

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

robert.a.matthews · ‎01-27-2017

What you are asking can be done with a VLAN access-map (aka VACL), however this will deny all traffic including return traffic (e.g. ICMP echo-reply) from those VLANs. If what you truly want is one-way communication, a VLAN access-map could work.

No guarantee that below config will work, no guarantee that is free of errors, no guarantee that it won't cause an outage if applied to a production environment.

ip access-list extended MGMT_2_ANY
permit ip 10.0.4.0 0.0.3.255 any
!
vlan access-map MGMT_UNIDIRECTIONAL 10
match ip address MGMT_2_ANY
action forward
vlan access-map MGMT_UNIDIRECTIONAL 20
action drop log
!
vlan filter MGMT_UNIDIRECTIONAL vlan-list 8,12,16 !(or apply to ranges of VLANs)
!

Alternatively, if you want to see echo-replies from those VLANs (or modify to match some other return traffic that you want to allow):

ip access-list extended ALLOW_ECHO_REPLY
permit icmp any 10.0.4.0 0.0.3.255 echo-reply
!
vlan access-map MGMT_UNIDIRECTIONAL 20
match ip address ALLOW_ECHO_REPLY
action forward
vlan access-map MGMT_UNIDIRECTIONAL 30
action drop log
!

denying all vlans from access to certain vlan and permitting the certain vlan access to all vlans