cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1584
Views
10
Helpful
9
Replies

How to configure vlan comunicating

ramakanth
Level 1
Level 1

I have two vlan 42 and vlan 52

Vlan 42 10.10.42.0/24

vlan 56 10.10.56.0/24

i want to communciate vlan 56 should communicate vlan 42

i do not want to communicate vlan 42 should not communicate vlan 56

 

 

9 Replies 9

Mark Malone
VIP Alumni
VIP Alumni
You can use access list under the interface vlans to restrict or allow them speak to each other , something like below should work , base it in and out on each interface and test it

Int vlan 52
ip access-group TEST in
ip access-group TEST out

Int vlan 42
ip access-group TEST in
ip access-group TEST out

ip access-list extended TEST
permit ip 10.10.56.0 0.0.0.255 any
permit ip any 10.10.56.0 0.0.0.255
deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip 10.10.42.0 0.0.0.255 any
permit ip any any

I have configured buthave configured but still issue

 
Vlan 42 is communicating with vlan 56 
but i want vlan 56 should not communicate vlan 42

 

brselzer
Cisco Employee
Cisco Employee

Hello,

 

As Mark mentioned, you can write an ACL to block traffic in one direction. However, if you have a server in one vlan and users in another, putting an ACL is not going to work as the communication needs to be bi-directional even if you only want the users to be able to initiate the connection. If this is what you are trying to achieve, you might need to look into a statefull firewall or maybe configuring NAT to mask the clients on the inside. 

 

Hope that helps!

-Bradley Selzer
CCIE# 60833

Actually traffic does not need to be bi-directional, but it's very unusual if it's not. For example, TCP won't work unless it's bi-directional, but UDP might.

If you want to allow VLAN 42 to TCP respond to VLAN 56, you can use an ACL ACE using the "established" option.

I have configured but still issue

Vlan 42 is communicating with vlan 56
but i want vlan 56 should not communicate vlan 42

Hello


@ramakanth wrote:
I have configured but still issue

Vlan 42 is communicating with vlan 56
but i want vlan 56 should not communicate vlan 42

Then you need to allow established tcp traffic to be able return into vlan 42, unfortunately this will not work for UDP as the protocol is connectionless so udp can be allowed or denied  

vlan 42 =192.168.42.0/24
vlan 56 =192.168.56.0/24

Ip access-list extended TST
Permit tcp 192.168.56.0 0.0.0.255 any established
deny tcp 192.168.56.0 0.0.0.255 any
permit ip any any

int vlan 42
Ip access-group TST out

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The configuration which you have given me was not working

 

I will give you example

i have created two vlan vlan 42 and vlan 56

vlan 42 10.10.42.0

vlan 56 10.10.56.0

 

I have created 2 ACL

 

ip access-list extended comm_vlan
permit ip 10.10.56.0 0.0.0.255 any
permit ip any 10.10.56.0 0.0.0.255
deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip 10.10.42.0 0.0.0.255 any
permit ip any any

 

ip access-list extended vcomm_vlan2
permit tcp 10.10.56.0 0.0.0.255 any established
deny tcp 10.10.56.0 0.0.0.255 any
permit ip any any

 

and

interface Vlan42
ip address 10.10.42.1 255.255.255.0
ip access-group comm_vlan in
ip access-group vcomm_vlan2 out
!
interface Vlan56
ip address 10.10.56.1 255.255.255.0
ip access-group comm_vlan in

 

but both vlans are communicating

but i want only vlan 42 should communicate eith vlan 56

vlan 56 shoud not communicate with vlan 42

Hello

Remove the following and try again:

interface Vlan42
ip address 10.10.42.1 255.255.255.0
no ip access-group comm_vlan in

interface Vlan56
no ip access-group comm_vlan in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I have done but same issue occurs