08-29-2016 01:36 PM - edited 03-08-2019 07:12 AM
i have vlan 10 and vlan 20
vlan 20 is camera and vlan 10 has around 50 users . but we want only selected or three host to communicate to vlan 20
how to do it in intervlan routing ..
Thank you
Solved! Go to Solution.
08-30-2016 02:56 AM
Hello dmuinoorallo ! I hope you can contribute if I have mistake
I think your ACL EXTENDED if I use host IP 1.1.1.4 can go to netwwork 10.1.1.1/24 because IP 1.1.1.4 match with :
access-list 101 permit ip any any
we need insert line before above line:
access-list 101 deny ip 1.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
We can write - ACL EXTENDED - more optimization if topology "vlan10 - SWL3 - Vlan 20" and you apply to interface vlan 10 direction in :
SWL3(config)#access-list 101 permit ip 1.1.1.1 0.0.0.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255
if you put ACL EXTENDED direction out at interface vlan 20 we configure:
SWL3(config)#access-list 101 permit ip 1.1.1.1 0.0.0.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 deny ip 1.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip any any
Final We apply access-list 101 on interface. Because we using Exnted ACL I put in near source . I configure:
SWL3(config)int vlan 10
SWL3(config-if)ip access-group 101 in
08-29-2016 02:29 PM
You could use ACL extended or VACL.
Check this examples:
Host1 1.1.1.1
Host2 1.1.1.2
Host3 1.1.1.3
Vlan20 10.1.1.1/24
-VACL-
ip access-lists test1
permit ip 1.1.1.1 0.0.0.0 any
permit ip 1.1.1.2 0.0.0.0 any
permit ip 1.1.1.3 0.0.0.0 any
vlan access-map example 10
match ip address test1
action forward
vlan access-map example 10
action drop
vlan filter example vlan-list 20
-ACL EXTENDED-
access-list 101 permit ip 1.1.1.1 0.0.0.0 10.1.1.0 0.0.0.255
access-list 101 permit ip 1.1.1.2 0.0.0.0 10.1.1.0 0.0.0.255
access-list 101 permit ip 1.1.1.3 0.0.0.0 10.1.1.0 0.0.0.255
access-list 101 permit ip any any
08-30-2016 12:10 AM
Suppose i have 100 host on vlan 20 and we want only three host to reach vlan 30 .. how should we configure ACL ..
08-30-2016 12:17 AM
on vlan 30 configure ACL allow to communicate selected host like
access-list 101 permit ip host <host1 IP> any
access-list 101 permit ip host <host2 IP> any
access-list 101 permit ip host <host3 IP> any
int vlan 30
ip access-group 101 out
!
08-30-2016 02:15 AM
I have 50 host to deny and only one host wants to permit to vlan 30 from vlan 20
As of the above configuration i need to create 50 acl permit list and bind them to interfaces.. do u have anyother ideas..
08-30-2016 02:37 AM
Create Object-group based acl.
object-group network Allow_host
host x.x.x.x
object-group network Blocked_host
host y.y.y.y
ip access-list extended Test-ACL
permit ip object-group Allow_host any
deny ip object-group Blocked_host any
permit ip any any
08-30-2016 03:24 AM
I have only 3560 and 2960 switches in my network .. Can i configure object access list there
09-02-2016 01:13 PM
Obj groups are officially supported on 12.15 router ios. It is not supported on switch platforms. It should tell you on the cisco feature tool.
You can use my last reply, for your issue.
09-02-2016 01:05 PM
Yes it´s a great solution, I didn`t know object-group.
It is a smarter thing :)
09-02-2016 01:11 PM
Noooo,
One thing you need permit only one host and deny the rest.
You can use this:
SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 deny ip any any
SWL3(config)int vlan 20
SWL3(config-if)ip access-group 101 out
If you need change it for diferent networks you can play with wilcard mask
access-list 101 permit ip <net source> <wilcard net source> <net destination> <wilcard net destination>
09-02-2016 03:49 PM
whats difference in using wild card mask like 0.0.0.255 and 0.0.0.0
1 ) suppose i want to permit one host to another network what wild card mask i use . ?
2) also,if i want to deny all the host from reaching another host , whats wild card mask i should use for both ?
09-03-2016 12:30 PM
There are differents form to put a host in a ACL:
1- you put host and you don't need write a wilcard
2- you put a wilcard, wilcard is exactly to opposite to mask.
For example mask /24 wilcard 0.0.0.255
mask for a host /32 wilcard 0.0.0.0
if you want more info:
https://en.wikipedia.org/wiki/Wildcard_mask
If you want deny all packets from all host to other host, it's very simple:
SWL3(config)#access-list 101 permit ip <source ip/network> <source wilcard> <destination ip/network> <destination wilcard>
More info: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-create-ip-apply.html#GUID-B7A956F6-E776-4839-8C73-7C2ADDA55242 I hope these links help you in your configuration.
09-03-2016 12:36 PM
what this acl difference
acceess list 100 permit 192.168.1. 10 0.0.0.255 192.168.3.0 0.0.0.255
access list 100 deny 192.168.1.10 0.0.0.0 192.168.3.0 0.0.0.0
08-30-2016 02:56 AM
Hello dmuinoorallo ! I hope you can contribute if I have mistake
I think your ACL EXTENDED if I use host IP 1.1.1.4 can go to netwwork 10.1.1.1/24 because IP 1.1.1.4 match with :
access-list 101 permit ip any any
we need insert line before above line:
access-list 101 deny ip 1.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
We can write - ACL EXTENDED - more optimization if topology "vlan10 - SWL3 - Vlan 20" and you apply to interface vlan 10 direction in :
SWL3(config)#access-list 101 permit ip 1.1.1.1 0.0.0.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255
if you put ACL EXTENDED direction out at interface vlan 20 we configure:
SWL3(config)#access-list 101 permit ip 1.1.1.1 0.0.0.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 deny ip 1.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip any any
Final We apply access-list 101 on interface. Because we using Exnted ACL I put in near source . I configure:
SWL3(config)int vlan 10
SWL3(config-if)ip access-group 101 in
08-30-2016 03:42 AM
Suppose i have 100 host on vlan 20 and we want only three host to reach vlan 30 .. how should we configure ACL ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide