01-24-2023 09:18 AM
Hi , i am learning ccna , so i am newbie on ACL Lab , facing somecissue
We have 2 vlan on L3 switch configuration as below
On L3 switch
Vlan 10 192.168.10.254/24
Vlan 20 192.168.20.254/24
And we have 2 PCSs
Pc1 Vlan10 192.168.10.10
Pc2 vlan20 192.168.10.20
How to command to deny vlan20 to communicate vlan10 ?
But vlan10 can communicate to vlan20.
Thank you
01-24-2023 09:23 AM
You can accomplish this by creating an extended access-list and applying it to the interface that connects the two VLANs. Here's an example of the commands you would use:
switch(config)# access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
switch(config)# access-list 100 permit ip any any
This access-list will deny all IP traffic from the VLAN20 network (192.168.20.0/24) to the VLAN10 network (192.168.10.0/24), but allow all other traffic.
switch(config)# interface [interface-name]
switch(config-if)# ip access-group 100 in
Replace [interface-name] with the name of the interface that connects the two VLANs (e.g. GigabitEthernet0/1).
switch# show access-list
This will deny communication between VLAN20 and VLAN10 but allow VLAN10 to communicate with VLAN20.
Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK
01-25-2023 05:30 AM - edited 01-25-2023 06:17 AM
Assuming you want two way communication, @khorram1998's ACL will block that too.
For two way, you'll need to use a reflexive ACL.
01-25-2023 09:21 AM
My earlier reply was done on my phone, now, on my PC, I'll elaborate a bit further.
OP has:
"How to command to deny vlan20 to communicate vlan10 ?
But vlan10 can communicate to vlan20."
How do yo define communication? Communication can be strictly unidirectional, including on networks, but often, especially on networks, bidirectional traffic is required.
For example, with an ACL like @khorram1998 posted, VLAN 10 could send a UDP packet VLAN 20, but VLAN 20 cannot send anything to VLAN 10. If this is your goal, what @khorram1998 posted works fine.
But for another example, VLAN 10 want to send a file to VLAN 20, using tftp. Although tftp, itself, uses UDP packets, the tftp application does expect its own protocol ACKs that what it sent was actually received. As the ACL @khorram1998 provided, blocks all traffic from VLAN 20 to VLAN 10, tftp wouldn't work. Similar issue for FTP and many other protocols.
It's certainly possible, in some, but perhaps not all, cases, you can add ACEs to @khorram1998's ACL allowing for specific kinds of return traffic. Assuming you can do this for the particular protocols you want to support, the ACL can expand, in ACEs, as you support every specific case. Further, the ACL would permit VLAN 20 to initiate traffic that looks like response traffic, but it might not be such traffic.
Perhaps a "better" solution is using a reflexive ACL, as I mentioned in my prior post. In brief, this would allow VLAN 10 to send traffic to VLAN 20 but only accept VLAN 20 traffic if it appears to be in response to something VLAN 10 sent to VLAN 20. VLAN 20, though, would be blocked from sending unexpected traffic to VLAN 10.
Again, much depends on how you need to "communicate".
More info, about reflexive ACLs: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html?dtid=osscdc000283
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: