Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
4
Replies

Extented ACL

Samus1984
Level 1
Level 1

‎12-09-2022 07:26 AM

Hi everyone,

 

I need your help.

 

My Vlans 1, 2 and 3 must be able to communicate with each other and with the dns server. However, there must be no communication from Vlans 1,2,3 to vlan 4.

On the other hand, vlan 4 must be able to communicate with everyone.

 

I've tried to turn the problem in all directions but I can't do the second part when vlan 4 must communicate with vlans 1,2,3.

 

Before making my ACLs I took care to make my encapsulations well and everyone can have access to everyone else.

DHCP server configured on the layer 3 switches.Screen.png

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎12-09-2022 09:14 AM

Look at the recent discussion : ( try your effort and create a ACL and test)

https://community.cisco.com/t5/network-management/acl-vlan/m-p/4731628

Still not working post your ACL config and what test you have done ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎12-09-2022 10:32 AM

The requirement that vlan 4 can successfully communicate with vlans 1, 2, 3 but that vlans 1, 2, 3 can not communicate with vlan 4 gets tricky. The first attempt would probably be an extended acl that specifies that if the source is vlan 1 and the destination is vlan 4 then the packet should be denied. The problem with this is that if some device in vlan 4 sends a request to some device in vlan 1 and the device in vlan 1 attempts to send a response that the response matches the deny statement in the acl and communication for vlan 4 to vlan 1 fails. Note that for tcp traffic there is a solution to this which is using the established parameter for tcp in the acl. But for non tcp protocols there is not a good solution.

For this requirement to work it is not enough to just look at source and destination of a packet. We need to keep track of who initiated the connection. If vlan 4 is the initiator then permit the traffic. If vlan 1 was the initiator then deny the traffic. The best way to accomplish this is to use some device that does stateful inspection.

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎12-09-2022 10:33 AM

Solved: Re: ACL Vlan - Cisco Community

I solve same issue week ago 
check my solution 

0 Helpful

paul driver
VIP
VIP

‎12-11-2022 02:55 AM - edited ‎12-11-2022 02:56 AM

 

Hello
This could be accomplished for tcp traffic using an access-list matching on established traffic initiated from vlan 4 however for UDP as it connectionless you would be only able to deny or allow such connection with an access-list.

Example:
Ip access-list extended denyvlans

permit tcp 10.0.1.0.0 0.0.0.255 any established
deny tcp 10.0.1.0.0 0.0.0.255 any
permit tcp 10.0.2.0.0 0.0.0.255 any established
deny tcp 10.0.2.0.0 0.0.0.255 any
permit tcp 10.0.3.0.0 0.0.0.255 any established
deny tcp 10.0.3.0.0 0.0.0.255 any
deny udp 10.0.1.0.0 0.0.0.255 any
deny udp 10.0.2.0.0 0.0.0.255 any
deny udp 10.0.3.0.0 0.0.0.255 any
permit ip any any

int vlan 4
ip access-group denyvlans out




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card