cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
351
Views
10
Helpful
9
Replies
Beginner

How to configure vlan comunicating

I have two vlan 42 and vlan 52

Vlan 42 10.10.42.0/24

vlan 56 10.10.56.0/24

i want to communciate vlan 56 should communicate vlan 42

i do not want to communicate vlan 42 should not communicate vlan 56

 

 

Everyone's tags (2)
9 REPLIES 9
VIP Mentor

Re: How to configure vlan comunicating

You can use access list under the interface vlans to restrict or allow them speak to each other , something like below should work , base it in and out on each interface and test it

Int vlan 52
ip access-group TEST in
ip access-group TEST out

Int vlan 42
ip access-group TEST in
ip access-group TEST out

ip access-list extended TEST
permit ip 10.10.56.0 0.0.0.255 any
permit ip any 10.10.56.0 0.0.0.255
deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip 10.10.42.0 0.0.0.255 any
permit ip any any

Beginner

Re: How to configure vlan comunicating

I have configured buthave configured but still issue

 
Vlan 42 is communicating with vlan 56 
but i want vlan 56 should not communicate vlan 42

 

Highlighted
Cisco Employee

Re: How to configure vlan comunicating

Hello,

 

As Mark mentioned, you can write an ACL to block traffic in one direction. However, if you have a server in one vlan and users in another, putting an ACL is not going to work as the communication needs to be bi-directional even if you only want the users to be able to initiate the connection. If this is what you are trying to achieve, you might need to look into a statefull firewall or maybe configuring NAT to mask the clients on the inside. 

 

Hope that helps!

-Bradley Selzer
CCIE# 60833
VIP Expert

Re: How to configure vlan comunicating

Actually traffic does not need to be bi-directional, but it's very unusual if it's not. For example, TCP won't work unless it's bi-directional, but UDP might.

If you want to allow VLAN 42 to TCP respond to VLAN 56, you can use an ACL ACE using the "established" option.
Beginner

Re: How to configure vlan comunicating

I have configured but still issue

Vlan 42 is communicating with vlan 56
but i want vlan 56 should not communicate vlan 42
VIP Advisor

Re: How to configure vlan comunicating

Hello


@ramakanth wrote:
I have configured but still issue

Vlan 42 is communicating with vlan 56
but i want vlan 56 should not communicate vlan 42

Then you need to allow established tcp traffic to be able return into vlan 42, unfortunately this will not work for UDP as the protocol is connectionless so udp can be allowed or denied  

vlan 42 =192.168.42.0/24
vlan 56 =192.168.56.0/24

Ip access-list extended TST
Permit tcp 192.168.56.0 0.0.0.255 any established
deny tcp 192.168.56.0 0.0.0.255 any
permit ip any any

int vlan 42
Ip access-group TST out

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: How to configure vlan comunicating

The configuration which you have given me was not working

 

I will give you example

i have created two vlan vlan 42 and vlan 56

vlan 42 10.10.42.0

vlan 56 10.10.56.0

 

I have created 2 ACL

 

ip access-list extended comm_vlan
permit ip 10.10.56.0 0.0.0.255 any
permit ip any 10.10.56.0 0.0.0.255
deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip 10.10.42.0 0.0.0.255 any
permit ip any any

 

ip access-list extended vcomm_vlan2
permit tcp 10.10.56.0 0.0.0.255 any established
deny tcp 10.10.56.0 0.0.0.255 any
permit ip any any

 

and

interface Vlan42
ip address 10.10.42.1 255.255.255.0
ip access-group comm_vlan in
ip access-group vcomm_vlan2 out
!
interface Vlan56
ip address 10.10.56.1 255.255.255.0
ip access-group comm_vlan in

 

but both vlans are communicating

but i want only vlan 42 should communicate eith vlan 56

vlan 56 shoud not communicate with vlan 42

VIP Advisor

Re: How to configure vlan comunicating

Hello

Remove the following and try again:

interface Vlan42
ip address 10.10.42.1 255.255.255.0
no ip access-group comm_vlan in

interface Vlan56
no ip access-group comm_vlan in



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: How to configure vlan comunicating

I have done but same issue occurs

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards


This widget could not be displayed.