Solved: Hello dmuinoorallo ! I hope

jordan-jj · ‎08-29-2016

i have vlan 10 and vlan 20

vlan 20 is camera and vlan 10 has around 50 users . but we want only selected or three host to communicate to vlan 20

how to do it in intervlan routing ..

Thank you

sang20319951 · ‎08-30-2016

Hello dmuinoorallo ! I hope you can contribute if I have mistake

I think your ACL EXTENDED if I use host IP 1.1.1.4 can go to netwwork 10.1.1.1/24 because IP 1.1.1.4 match with :

access-list 101 permit ip any any

we need insert line before above line:

access-list 101 deny ip 1.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

We can write - ACL EXTENDED - more optimization if topology "vlan10 - SWL3 - Vlan 20" and you apply to interface vlan 10 direction in :

SWL3(config)#access-list 101 permit ip 1.1.1.1 0.0.0.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255

if you put ACL EXTENDED direction out at interface vlan 20 we configure:

SWL3(config)#access-list 101 permit ip 1.1.1.1 0.0.0.2 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255 
SWL3(config)#access-list 101 deny ip 1.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
SWL3(config)#access-list 101 permit ip any any

Final We apply access-list 101 on interface. Because we using Exnted ACL I put in near source . I configure:

SWL3(config)int vlan 10
SWL3(config-if)ip access-group 101 in

View solution in original post

dmuinoorallo · ‎08-29-2016

You could use ACL extended or VACL.

Check this examples:

Host1 1.1.1.1

Host2 1.1.1.2

Host3 1.1.1.3

Vlan20 10.1.1.1/24

-VACL-

 ip access-lists test1

permit ip 1.1.1.1 0.0.0.0 any

permit ip 1.1.1.2 0.0.0.0 any

permit ip 1.1.1.3 0.0.0.0 any

 vlan access-map example 10

match ip address test1

action forward

vlan access-map example 10

action drop

vlan filter example vlan-list 20

-ACL EXTENDED-

access-list 101 permit ip 1.1.1.1 0.0.0.0 10.1.1.0 0.0.0.255

access-list 101 permit ip 1.1.1.2 0.0.0.0 10.1.1.0 0.0.0.255

access-list 101 permit ip 1.1.1.3 0.0.0.0 10.1.1.0 0.0.0.255

access-list 101 permit ip any any

jordan-jj · ‎08-30-2016

Suppose i have 100 host on vlan 20 and we want only three host to reach vlan 30 .. how should we configure ACL ..

Pawan Raut · ‎08-30-2016

on vlan 30 configure ACL allow to communicate selected host like

access-list 101 permit ip host <host1 IP> any

access-list 101 permit ip host <host2 IP> any

access-list 101 permit ip host <host3 IP> any

int vlan 30

ip access-group 101 out

!

jordan-jj · ‎08-30-2016

I have 50 host to deny and only one host wants to permit to vlan 30 from vlan 20

As of the above configuration i need to create 50 acl permit list and bind them to interfaces.. do u have anyother ideas..

Pawan Raut · ‎08-30-2016

Create Object-group based acl.

object-group network Allow_host
host x.x.x.x

object-group network Blocked_host
host y.y.y.y

ip access-list extended Test-ACL
permit ip object-group Allow_host any
deny ip object-group Blocked_host any
permit ip any any

jordan-jj · ‎08-30-2016

I have only 3560 and 2960 switches in my network .. Can i configure object access list there

dmuinoorallo · ‎09-02-2016

Obj groups are officially supported on 12.15 router ios. It is not supported on switch platforms. It should tell you on the cisco feature tool.

You can use my last reply, for your issue.

dmuinoorallo · ‎09-02-2016

Yes it´s a great solution, I didn`t know object-group.

It is a smarter thing :)

dmuinoorallo · ‎09-02-2016

Noooo,

One thing you need permit only one host and deny the rest.

You can use this:

SWL3(config)#access-list 101 permit ip host 1.1.1.2 10.1.1.0 0.0.0.255 
SWL3(config)#access-list 101 deny ip any any
SWL3(config)int vlan 20
SWL3(config-if)ip access-group 101 out

If you need change it for diferent networks you can play with wilcard mask 
access-list 101 permit ip <net source> <wilcard net source> <net destination> <wilcard net destination>

jordan-jj · ‎09-02-2016

whats difference in using wild card mask like 0.0.0.255 and 0.0.0.0

1 ) suppose i want to permit one host to another network what wild card mask i use . ?

2) also,if i want to deny all the host from reaching another host , whats wild card mask i should use for both ?

dmuinoorallo · ‎09-03-2016

There are differents form to put a host in a ACL:

1- you put host and you don't need write a wilcard

2- you put a wilcard, wilcard is exactly to opposite to mask.

For example mask /24 wilcard 0.0.0.255

mask for a host /32 wilcard 0.0.0.0

if you want more info:

https://en.wikipedia.org/wiki/Wildcard_mask

If you want deny all packets from all host to other host, it's very simple:

SWL3(config)#access-list 101 permit ip <source ip/network> <source wilcard> <destination ip/network> <destination wilcard>

More info: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-create-ip-apply.html#GUID-B7A956F6-E776-4839-8C73-7C2ADDA55242 I hope these links help you in your configuration.

jordan-jj · ‎09-03-2016

what this acl difference

acceess list 100 permit 192.168.1. 10 0.0.0.255 192.168.3.0 0.0.0.255

access list 100 deny 192.168.1.10 0.0.0.0 192.168.3.0 0.0.0.0

sang20319951 · ‎08-30-2016