Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
15
Helpful
8
Replies

How to achieve Restriction between SVI

Go to solution
sreeraj.murali
Level 3
Level 3

‎10-10-2017 11:41 PM - edited ‎03-08-2019 12:19 PM

Hi Experts, Could you please suggest if this is a valid ACL statement.

 

I want to restrict access from vlan20(172.20.2.0/24 Network) to other vlan. Also need to permit access to my WAN Devices which is of ip address, 172.20.4.2,172.20.4.4 and 172.20.4.5. Please suggest.

 

If this needs an correction, kindly help.

 

access-list 199 permit any 172.20.4.0 0.0.0.6 – Access to WAN Gateway
access-list 199 deny any any – Restricting access to other vlan

interface Vlan20
 description XYZ Network
 ip address 172.20.2.1 255.255.255.0
 ip helper address  172.20.2.1
 ip access-group 199 in

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to sreeraj.murali

‎10-11-2017 03:36 AM

Prob betfter putting it both directions so i have altered the acl so there is a reverse rule to so can go in/out

 

ip access-list extended test
 permit ip host 172.20.4.2 172.20.2.0 0.0.0.255
 permit ip host 172.20.4.4 172.20.2.0 0.0.0.255
 permit ip host 172.20.4.5 172.20.2.0 0.0.0.255
 permit ip 172.20.2.0 0.0.0.255 host 172.20.4.2
 permit ip 172.20.2.0 0.0.0.255 host 172.20.4.4
 permit ip 172.20.2.0 0.0.0.255 host 172.20.4.5
 deny   ip any 172.20.2.0 0.0.0.255
 deny   ip 172.20.2.0 0.0.0.255 any
 permit ip any any

 

interface Vlan20
description XYZ Network
ip address 172.20.2.1 255.255.255.0
ip access-group test in
ip access-group test out

View solution in original post

8 Replies 8

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎10-11-2017 12:25 AM - edited ‎10-11-2017 12:26 AM

Hi

if i understood that correctly allow the wan devices speak to vlan 20 but vlan 20 then blocked from speaking to erveryone else , if the wan devices are just to speak to the host ip you can alter it  , apply it in and outbound under the interface

 

ip access-list extended test
 permit ip host 172.20.4.2 172.20.2.0 0.0.0.255
 permit ip host 172.20.4.4 172.20.2.0 0.0.0.255
 permit ip host 172.20.4.5 172.20.2.0 0.0.0.255
 deny   ip 172.20.2.0 0.0.0.255 any
 permit ip any any

 

By the way your helper address shouldnt be the vlan interface , it should be the dhcp server address and if the dhcp scop is on the device then you dont need the helper

 

interface Vlan20
 description XYZ Network
 ip address 172.20.2.1 255.255.255.0
 ip helper address  172.20.2.1

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Mark Malone

‎10-11-2017 01:00 AM

Thanks Mark for the prompt response!!!
Yes Mark, I need to have vlan 172.20.2.0/24 communicate only to 172.20.4.2(MPLS Router), 172.20.4.4(Internet Firewall), 172.2.4.5(Internet Router) for accessing the Internet as only Internet access should be allowed from this vlan. Hope your answer achieves the same result.
Please help me with the below queries as well

1. On which interface I need to apply the ACL?
2. Yes, the dhcp pool is running on the same switch where the vlan interace 172.20.2.1 is configured.
Please find the below diagram for more clarity
[cid:image001.png@01D34295.080DF890]
Kindly suggest.
0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to sreeraj.murali

‎10-11-2017 01:14 AM

so the way that's written is each of the first 3 host rules .2 .4 .5 can talk to vlan 20 anybody else is denied in the second last line and then everyone else can speak to each other.

It should be applied on the vlan 20 interface itself

Your image is not viewable but if the scope is local you don't need to use the helper address , its only required when dhcp server is on a different vlan like 10.10.10.x so then you would need to point to that under the vlan interface so it can change from broadcast to unicast and reach the dhcp server, if that makes sense
0 Helpful

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Mark Malone

‎10-11-2017 02:52 AM

Thanks!!!
So the interface vlan should like below ? Please confirm.
interface Vlan20
description XYZ Network
ip address 172.20.2.1 255.255.255.0
ip access-group test in/out - please confirm it access group should be applied IN or OUT?
0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to sreeraj.murali

‎10-11-2017 03:36 AM

Prob betfter putting it both directions so i have altered the acl so there is a reverse rule to so can go in/out

 

ip access-list extended test
 permit ip host 172.20.4.2 172.20.2.0 0.0.0.255
 permit ip host 172.20.4.4 172.20.2.0 0.0.0.255
 permit ip host 172.20.4.5 172.20.2.0 0.0.0.255
 permit ip 172.20.2.0 0.0.0.255 host 172.20.4.2
 permit ip 172.20.2.0 0.0.0.255 host 172.20.4.4
 permit ip 172.20.2.0 0.0.0.255 host 172.20.4.5
 deny   ip any 172.20.2.0 0.0.0.255
 deny   ip 172.20.2.0 0.0.0.255 any
 permit ip any any

 

interface Vlan20
description XYZ Network
ip address 172.20.2.1 255.255.255.0
ip access-group test in
ip access-group test out

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Mark Malone

‎10-11-2017 03:38 AM

Thanks a lot Mark!!!
I will try this and update you.
Thanks
Sreeraj
0 Helpful

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎10-11-2017 12:26 AM

I believe you will need to make a couple of changes:

access-list 199 permit ip any 172.20.4.0 0.0.0.7
access-list 199 deny ip any any

interface Vlan20
description XYZ Network
ip address 172.20.2.1 255.255.255.0
ip helper address 172.20.2.1
ip access-group 199 out

Just bear in mind that the above ACL permits traffic destined to 172.20.4.0/29 network only.

HTH,
Meheretab
HTH,
Meheretab

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Meheretab Mengistu

‎10-11-2017 11:48 PM

Thank a lot Meheretab. I will try and update.
Regards
Sreeraj
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card