Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
10
Helpful
4
Replies

Limit the access on L2 level.

Go to solution
ehsan
Level 1
Level 1

‎03-10-2018 12:39 PM - edited ‎03-08-2019 02:12 PM

It is a packet tracer lab in which i have a building having Basement ,ground floor 1st floor and 2nd floor.

i have 5 vlans in this lab. i configured all trunks between switches and applied inter vlan routing using L3 switch. all is going well all connectivity is working good. now i want to add access limitations that only from basement where the IT department is working and all PCs are in vlan 10 only this vlan which is vlan 10 can access all others upper floors vlans but from upper vlans no one can ping each other nor in Basement PCs that are in vlan 10. I cant understand how to do this. Please give me any idea how to do this...? Thanks in advance....PT.jpg

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎03-10-2018 12:53 PM - edited ‎03-11-2018 05:27 AM

Hi

In real enviroments you could configure: ACLs, VACL and using Firewalls. Now PT has some limitations so I think you could use ACLs only under the SVI of each VLAN on the Layer 3 device.  You could try for example:

 

For VLAN50

access-list IN-VLAN50 permit icmp 192.168.1.128 0.0.0.31 192.168.1.0 0.0.0.31 

access-list IN-VLAN50 deny icmp any any

access-list IN-VLAN50 permit ip any any

 

access-list OUT-VLAN50 permit icmp 192.168.1.0 0.0.0.31 192.168.1.128 0.0.0.31

access-list OUT-VLAN50 deny icmp any any

access-list OUT-VLAN50 permit ip any any

 

Interface vlan 50

ip access-group IN-VLAN50 in

ip access-group OUT-VLAN50 out

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

4 Replies 4

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎03-10-2018 12:53 PM - edited ‎03-11-2018 05:27 AM

Hi

In real enviroments you could configure: ACLs, VACL and using Firewalls. Now PT has some limitations so I think you could use ACLs only under the SVI of each VLAN on the Layer 3 device.  You could try for example:

 

For VLAN50

access-list IN-VLAN50 permit icmp 192.168.1.128 0.0.0.31 192.168.1.0 0.0.0.31 

access-list IN-VLAN50 deny icmp any any

access-list IN-VLAN50 permit ip any any

 

access-list OUT-VLAN50 permit icmp 192.168.1.0 0.0.0.31 192.168.1.128 0.0.0.31

access-list OUT-VLAN50 deny icmp any any

access-list OUT-VLAN50 permit ip any any

 

Interface vlan 50

ip access-group IN-VLAN50 in

ip access-group OUT-VLAN50 out

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
ehsan
Level 1
Level 1
In response to Julio E. Moisa

‎03-11-2018 02:09 PM

Thanks a lot Julio Moisa it works for me.... :-)
0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to ehsan

‎03-11-2018 02:11 PM

Hi

I am glad to know it worked, have a great day!

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
ranilf2005
Level 1
Level 1

‎03-10-2018 05:16 PM

Recommended for applying ACL on ingress SVI interface locally.

Hope this URL will assist you

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_vlanacls.pdf

 

Ranil Fernando
0 Helpful
Customers Also Viewed These Support Documents