Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
6
Replies

i cannot configure extended acl with my layer 3 switch for vlan

jordan-jj
Level 1
Level 1

‎08-25-2016 02:13 PM - edited ‎03-08-2019 07:09 AM

I have following acl binded with vlan interface  10

access-list 100 permit tcp host 192.168.1.11 host 192.168.2.1

access-list 100 deny ip any any

But the above configuration block everything from vlan 10  to vlan 20 .. 

I want only to allow one host to communicate with vlan 20  .. how to do it 

Labels:
0 Helpful
6 Replies 6

Prabath Godevithanage
Level 4
Level 4

‎08-25-2016 04:02 PM

Hi,

you maybe able to achive this in few ways,with little information I see on your post,You may be able to do something below


access-list 100 permit ip host 192.168.1.11 any
access-list 100 deny ip vlan10-network vlan10-mask vlan20-network vlan20-mask
access-list 100 permit any any

Apply the ACL to towards inbound of vlan10.

There your host 192.168.1.11 in vlan10 can access vlan20 and other networks. hosts in VLAN10 cannot access vlan 20 but everything else.Is that what you wanted?

 

Cheers,

Prabath

**Please rate all useful posts**

***Please rate all the useful posts***
-Prabath
0 Helpful

jordan-jj
Level 1
Level 1
In response to Prabath Godevithanage

‎08-26-2016 02:12 AM

Yes i want only allow  ip 11  from vlan 10 to communicate with vlan 20

Also other memebers of vlan 10 should communicate with eachother and  with vlan 30

I tried your steps as follows 

Switch(config)#access-list 100 permit ip host 192.168.1.11 any

Switch(config)#access-list 100 deny ip 192.168.1.1 255.255.255.0 192.168.2.1 255.255.255.0

Switch(config)#access-list 100 permit ip any any

Switch(config)#interface vlan 10

Switch(config-if)#ip access-group 10 in

The above not restricting other host from communicating vlan 10  .. 

0 Helpful

Pawan Raut
Level 4
Level 4
In response to jordan-jj

‎08-26-2016 02:28 AM

You ACL is not correct format try this

Switch(config)#access-list 100 permit ip host 192.168.1.11 any

Switch(config)#access-list 100 deny ip any 192.168.2.0 255.255.255.0

Switch(config)#access-list 100 permit ip any any

0 Helpful

jordan-jj
Level 1
Level 1
In response to Pawan Raut

‎08-26-2016 02:44 AM

I am trying in packet tracer by the way

i have applied the above commands to interface vlan 10 inbound  but even  allows all the host from vlan 10 to communicate  

0 Helpful

paul driver
VIP
VIP

‎08-26-2016 06:15 AM

Hello

Example: Allows only 1 host from vlan 10 into vlan 20, denies all other traffic from vlan 10

Edited-

Assumption is = 192.168.1.0/24 

access-list 100 permit ip host 192.168.1.11 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any

int vlan 20
ip access-group 100 out

res
Paul




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

jordan-jj
Level 1
Level 1
In response to paul driver

‎08-26-2016 06:15 AM

access-list 100 deny ip x.x.x.x y.y.y.y ( vlan 10 range) any

how to write vlan 10  range .. my vlan 10 is from 192.168.1.1-192.168.1.255

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card