01-09-2017 01:41 PM - edited 03-08-2019 08:50 AM
shortly in this network , it content 15 vlan ,
vlan 4 management 10.0.4.0 255.255.252.0
vlan 8 voice 10.0.8.0 255.255.252.0
vlan 12 wireless 10.0.12.0 255.255.252.0
vlan 16 BMS 10.0.16.0 255.255.252.0
.... ect .. vlan 60
how to permit vlan 4 (management) to access to other vlans (8,12,...,60)
and deny other vlans ((8,12,...,60) to access to vlan 4 (management)
knowing that i configured all vlan in catalyst core switch ( 3850 )
Thanks all in advance.
01-09-2017 02:09 PM
Hi,
I think simple ACL should do the job. Do you have specific requirements which traffic you want to permit/deny?
Example of allowing telnet/www return traffic traffic
Switch(config)# access-list 101 permit tcp 10.0.0.0 0.0.255.255 10.0.4.0 0.0.3.255 eq telnet established
Switch(config)# access-list 101 permit tcp 10.0.0.0 0.0.255.255 10.0.4.0 0.0.3.255 eq www established
Switch(config)# interface vlan 4
Switch(config-if)# ip access-group 101 out
For non-tcp traffic you have to specify all traffic flows which you want to permit/deny.
01-09-2017 11:58 PM
simply, i need to deny all traffic from vlans to vlan 4
and permit traffic from vlan 4 to other vlans
01-10-2017 12:44 AM
Hello
The previous ACL provided and applied to the SVI of vlan 10 will allow you to do this.
You can even go further and negate even ping if you desire.
vlan 4= 4.4.4.0/24
vlan 8= 8.8.8.0/24 <---deny
vlan 12= 12.12.12.0/24<---deny
vlan 16= 16.16.16.0/24<---deny
Ip access-list extended STAN
deny tcp 8.8.8.0 0.0.0.255 any
deny tcp 12.12.12.0 0.0.0.255 any
deny tcp 16.16.16.0 0.0.0.255 any
permit ip any any
int vlan 4
Ip access-group STAN out
res
Paul
01-10-2017 10:38 PM
thank paul,
i tried your solution, but no deny any packet
01-09-2017 02:12 PM
Hello
You could use RACLs for the tcp connections
vlan 4= 4.4.4.0/24
vlan 8= 8.8.8.0/24
vlan 12= 12.12.12.0/24
vlan 16= 16.16.16.0/24
Ip access-list extended STAN
Permit tcp 8.8.8.0 0.0.0.255 any established <---allows echo reply
deny tcp 8.8.8.0 0.0.0.255 any
Permit tcp 12.12.12.0 0.0.0.255 any established
deny tcp 12.12.12.0 0.0.0.255 any
Permit tcp 16.16.16.0 0.0.0.255 any established
deny tcp 16.16.16.0 0.0.0.255 any
permit ip any any
int vlan 4
Ip access-group STAN out
res
Paul
01-27-2017 03:53 PM
What you are asking can be done with a VLAN access-map (aka VACL), however this will deny all traffic including return traffic (e.g. ICMP echo-reply) from those VLANs. If what you truly want is one-way communication, a VLAN access-map could work.
No guarantee that below config will work, no guarantee that is free of errors, no guarantee that it won't cause an outage if applied to a production environment.
ip access-list extended MGMT_2_ANY
permit ip 10.0.4.0 0.0.3.255 any
!
vlan access-map MGMT_UNIDIRECTIONAL 10
match ip address MGMT_2_ANY
action forward
vlan access-map MGMT_UNIDIRECTIONAL 20
action drop log
!
vlan filter MGMT_UNIDIRECTIONAL vlan-list 8,12,16 !(or apply to ranges of VLANs)
!
Alternatively, if you want to see echo-replies from those VLANs (or modify to match some other return traffic that you want to allow):
ip access-list extended ALLOW_ECHO_REPLY
permit icmp any 10.0.4.0 0.0.3.255 echo-reply
!
vlan access-map MGMT_UNIDIRECTIONAL 20
match ip address ALLOW_ECHO_REPLY
action forward
vlan access-map MGMT_UNIDIRECTIONAL 30
action drop log
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide