Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
1
Helpful
5
Replies

prevent communication at layer 3

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1

‎08-17-2017 03:37 PM - edited ‎03-08-2019 11:47 AM

Hi, 

I wonder how can I prevent ping from each subnet so they cannot see each other, I know that it might be with an ACL, does any have any idea?

I have the following 2 interface vlans

Interface Vlan10
description  SUBNET 1
ip address 10.13.136.2 255.255.252.0
no shut
end

Interface Vlan20
description  SUBNET 1
ip address 10.13.136.2 255.255.252.0
no shut
end

But I can ping from any IP from one subnet to any other IP on the other subnet. How to stop and avoid icmp only for those specific networks from seeing each other?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP
VIP
In response to Kn1ghtR1d3rOfD00m

‎08-21-2017 05:23 PM - edited ‎08-21-2017 05:25 PM

Hi
As other members are mentioned, you can use an ACL:

If you are going to filter the traffic originated into a SVI your ACL should be IN direction, you can filter ICMP, echo/echo-reply

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cofee
Level 5
Level 5

‎08-17-2017 06:28 PM

I would like to bring it to your attention that you are using same subnets for both vlans. The next valid network address for this subnet would be 10.13.140.0 255.255.252.0.

This is how you can block all traffic from one subnet to another:

access-list 101 deny ip 10.13.136.0 0.0.3.0 10.13.140.0 0.0.3.0

access-list 101 permit ip any any ( This is optional if you want to permit traffic to and from other networks)

Applying access-list to SVI:

int vlan 10

ip access-group 101 in

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to cofee

‎08-17-2017 06:41 PM

I have read your question again and it looks like you have intentionally created duplicate subnets on the same switch and now want to prevent them from seeing each other. Why would you do that or is this a college assignment?

You shouldn't be able to assign duplicate address to physical or logical interfaces of the same device or network address.

0 Helpful

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1
In response to cofee

‎08-17-2017 08:02 PM

Hi, 

thanks, yes, it was a typo, no duplicate address should be. Its two completely subnets, just ignore the subnets, pretend that they are different. 

thanks for your reply

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to Kn1ghtR1d3rOfD00m

‎08-21-2017 05:23 PM - edited ‎08-21-2017 05:25 PM

Hi
As other members are mentioned, you can use an ACL:

If you are going to filter the traffic originated into a SVI your ACL should be IN direction, you can filter ICMP, echo/echo-reply

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
paul driver
VIP
VIP

‎08-21-2017 03:30 PM

Hello

you are correct a Routed ACL would be applicable between the two SVI's to deny ICMP only.

example:

Ip access-list extended No_Vl20

deny icmp 10.13.137.0 0.0.0.255 any
permit ip any any

int vlan 10
Ip access-group No_Vl20 out


Ip access-list extended No_Vl10

deny icmp 10.13.136.0 0.0.0.255 any
permit ip any any

int vlan 20
Ip access-group No_Vl10 out

res
Paul




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card