Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1544
Views
0
Helpful
11
Replies

Router on a stick - One way access to VLAN

Go to solution
wetfish
Level 1
Level 1

‎03-19-2018 05:35 AM - edited ‎03-08-2019 02:19 PM

Hi,

I am new to ACLs as I am still sitting for the CCNA course.

 

I created a router on a stick with 2 VLANs.

VLAN_A: 192.168.1.0/24

VLAN_B: 192.168.2.0/24

I would like to create an access list where VLAN_A is NOT allowed any access to anything on VLAN_B.

 

However, I want VLAN_B to have FULL access to VLAN A.

 

Is this scenario possible with ACLs please? If so, can someone please give me some hints to try out on packet tracer?

 

Thanks a lot in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎03-19-2018 07:43 AM

I agree with Joseph that the suggestion from Kumar will block all traffic and therefore does not satisfy the requirement in the original post that vlan B have full access to vlan A. I also agree with Joseph that allowing vlan A to generate responses to packets received from vlan B while denying vlan A to initiate packets to vlan B is difficult and can not be fully achieved using just ACL. Reflexive ACL or other firewall features are required to achieve this.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-19-2018 07:11 AM

Perhaps what would come closest to your ACL requirement would be using a reflexive ACL in conjunction with an established TCP ACE. Don't know if Packet Tracer supports them.

Even better than an ACL, for your requirement goal, would be the firewall feature set.
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎03-19-2018 07:17 AM

Hi, 

ACL configuration as below:

 

IP access-list extended VLAN-B-Block

10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

20 permit ip any any

 

 

IP access-list extended VLAN-A-Block

10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip any any

 

Apply the ACL under the VLAN to outside.

 

interface VLAN_A

ip access-group VLAN-B-Block out

 

 

interface VLAN_B

ip access-group VLAN-A-Block out

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Deepak Kumar

‎03-19-2018 07:28 AM

Kumar, I may be misreading what you've posted, but aren't these ACLs blocking all traffic between VLANs A and B?
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎03-19-2018 07:43 AM

I agree with Joseph that the suggestion from Kumar will block all traffic and therefore does not satisfy the requirement in the original post that vlan B have full access to vlan A. I also agree with Joseph that allowing vlan A to generate responses to packets received from vlan B while denying vlan A to initiate packets to vlan B is difficult and can not be fully achieved using just ACL. Reflexive ACL or other firewall features are required to achieve this.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
wetfish
Level 1
Level 1
In response to Richard Burts

‎03-19-2018 09:07 AM

Thanks a lot for your fast replies. As you stated, reflexive ACLs are the solution. Unfortunately, packet tracer does not support reflexive ACLs but I saw some YouTube video on what you explained and I understood my scenario.

Thanks a lot

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to wetfish

‎03-19-2018 09:11 AM

You might also check if Packet Tracer supports an established TCP ACE. If if does, that would meet your goal at least for TCP based traffic.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎03-19-2018 09:19 AM

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions that have helpful information. These forums are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the forum.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to Deepak Kumar

‎03-19-2018 09:28 AM

Hi, 

This was my bad that I didn't get his comments fully. 

 

Regards,

Deepak kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Deepak Kumar

‎03-19-2018 09:38 AM

We all do this from time to time where we get part of what is being asked but miss a part of what is being asked. One of the advantages of these forums is that with multiple people participating the missing part is usually identified and answered. You have been a good participant in the forums and I look forward to your continuing participation.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Richard Burts

‎03-19-2018 09:51 AM

Ditto to what Rick says.
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to Joseph W. Doherty

‎03-19-2018 09:55 AM

@Joseph W. Doherty  @Richard Burts 

Thank you for giving me the courage

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents