Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2108
Views
25
Helpful
9
Replies

VACL deny all traffic on same VLAN and allow to another particular VLA

bino
Level 1
Level 1

‎09-10-2022 09:22 AM - edited ‎09-10-2022 09:23 AM

Hi I would like to get help from you guys for deny traffic at same Vlan.

(I am using 9300 switch no router or firewall connected )

I have some vlan 10, 20, 30 ,40

Vlan 10 172.16.103.0/16

Vlan 20 192.168.20.0/24

Vlan 30 192.16.30.0/24

Vlan 40 10.0.0.0/ 24

What I need is deny all traffic between vlans expect vlan 40 ( printer ) all should need to print. So no need any blocking from other vlans to 40.

Above I know how to do with ip access-list ACL

But I need to deny traffic inside vlan 10.

Some computer under vlan 10 no need to communicate between each other.

172.16.103.10-50 need to communicat each other 

172.16.5.10-50 need to communicate each other 

But I need vlan 10 computers need to printer (vlan 40)

Kindly help me for access-list configuration 

I hope I explained well.

 

 

Labels:
9 Replies 9

Georg Pauwen
VIP
VIP

‎09-10-2022 12:28 PM

Hello,

tough one, this will take a while, and a lot of calculating. The hardest part is to figure out in how much you can summarize these address ranges (in order to avoid having one entry for each single address)

172.16.103.10-50

172.16.5.10-50

Can you start with that ? I'll try and figure out the rest...

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎09-10-2022 01:18 PM

Hello,

--> Above I know how to do with ip access-list ACL

Can you post the ACLs you used for this ?

0 Helpful

bino
Level 1
Level 1

‎09-10-2022 01:35 PM - edited ‎09-10-2022 01:40 PM

Hello,

i will try to explain more, Customer already configured there network , they can't change IP address or subnet . i am not going to touch there network. i am going to place a Layer 3 switch for printing purpose, all the computer need to print (printer will be VLAN 200) these all are separate network no communication in between. 

now they want to place a printer and all computer need to print. but don't communicate with other network. 

I create each VLAN per network and create IP access-list  ACL and Deny all the traffic between VLAN and only Permit to Printer VLAN and its working.

But my challenge is some network are coming under same network (172.16.103.0/16 ) so i am unable to create another VLAN for  eg (172.16.5.0/24).. that's why i am looking VACL. 

Eg.. here i need to create VACL to Deny traffic from 172.16.103.10 to 172.16.5.21 like versa

same time under 172.16.103.0 /16 there is 3 computer coming those can commutate.

 I don't have any idea why they create network like this but one thing i know behind the network so many devices connected

Printer VLAN 200 IP 10.0.0.0/24

  1. 192.168.10.0 /24   VALN 10
  2. 172.16.103.0 /16 (3 computer) VALN 20
  3. 10.4.0.0/15 VALN 30
  4. 172.24.70.0/16 (2 Computer) VALN 40
  5. 172.16.117.0/24 (3 computer)
  6. 172.168.1.0/24 VALN 50
  7. 172.24.72.0/24 (3 computer)
  8. 172.16.103.0/24 (4 computer)
  9. 172.16.5.0/24 (6 computer)
  10. 10.175.115.0/24 VLAN 60
  11. 172.16.4.0/24 (3 computer)
  12. 172.16.119.0/24 (4 computer)
  13. 172.16.120.0/24 (2 computer)
  14. 10.22.90.0/16 VALN 70
  15. 172.21.10.0/24 VALN 80
  16. 172.16.50.0/24 (5 computer)
  17. 172.16.106.0/24 (3 computer)

i can provide the configuration which i am trying to do tomorrow. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to bino

‎09-11-2022 12:50 AM

Hello,

VACLs use the same access lists as 'normal' layer 3 networks, they are only applied in a different way. That is why I asked for the access lists you have already used. In a VACL, all you do is use the 'action forward' or 'action drop' commands. Blocking intra-Vlan traffic is going to be tedious, since you have a lot of IPs that cannot be summarized. Your original post names different ranges than your last post. What we need is a detailed list of the exact IP source and destination IP addresses (hosts and/or networks), and a corresponding permit/deny entry remark for each address pair. Can you post that ? Something like:

Source 172.16.103.10 Destination 172.16.103.49 --> Allow

Source 172.16.103.3 Destination 172.16.103.49 --> Deny

bino
Level 1
Level 1

‎09-11-2022 12:55 AM

Hello,

i am trying to configure , i will post the configuration, what i am trying to do. so hope you can help me.

0 Helpful

bino
Level 1
Level 1

‎09-12-2022 08:28 AM

Hi,

i  did some simple configuration. but not done fully because for my busy schedule , but its working for me 

now i can deny access between VLANs and allow only to VLAN 200.

my challenge is to block inside communication within  VLAN 80 and VLAN 70, implement ACL at  VLAN 80 using VACL, VLAN access-map and VLAN FILTER.

Now 172.168.103.0 /16 network stop communication to 172.16.50.0/24

same 172.16.106.0/24  network stop communication to 172.16.120.0/24

ip routing
!
no ip domain lookup
!
!
!
login on-success log

!
vlan access-map MAPPING 10
match ip address DENY_INT
action drop
vlan access-map MAPPING 20
action forward
!
vlan filter MAPPING vlan-list 80
!
!


interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 30
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/7
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/8
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/9
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/10
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/11
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/12
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/13
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/14
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/15
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/16
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/17
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 80
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 80
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 80
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 80
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group VLAN10_ACL in
!
interface Vlan20
ip address 10.4.0.1 255.254.0.0
ip access-group VLAN20_ACL in
!
interface Vlan30
ip address 172.168.1.1 255.255.255.0
ip access-group VLAN30_ACL in
!
interface Vlan40
ip address 10.175.115.1 255.255.255.0
ip access-group VLAN40_ACL in
!
interface Vlan50
ip address 10.22.90.1 255.255.0.0
ip access-group VLAN50_ACL in
!
interface Vlan60
ip address 172.21.10.1 255.255.255.0
ip access-group VLAN60 in
!
interface Vlan70
ip address 172.24.70.1 255.255.0.0
ip access-group VLAN70_ACL in
!
interface Vlan80
ip address 172.16.103.1 255.255.0.0
ip access-group RANGE_172/16_ACL in
!
interface Vlan200
ip address 10.0.0.1 255.255.255.0

!
ip access-list extended VLAN10_ACL
10 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255
20 deny ip any any
ip access-list extended VLAN70_ACL
10 permit ip 172.24.0.0 0.0.255.255 10.0.0.0 0.0.0.255
20 deny ip any any
ip access-list extended VLAN20_ACL
10 permit ip 10.4.0.0 0.1.255.255 10.0.0.0 0.0.0.255
20 deny ip any any
ip access-list extended DENY_INT
10 permit ip host 172.16.103.20 host 172.16.103.30  ( for testing )
ip access-list extended VLAN30_ACL
10 permit ip 172.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
20 deny ip any any
ip access-list extended VLAN50_ACL
10 permit ip 10.22.0.0 0.0.255.255 10.0.0.0 0.0.0.255
20 deny ip any any
ip access-list extended VLAN60
10 permit ip 172.21.10.0 0.0.0.255 10.0.0.0 0.0.0.255
20 deny ip any any
ip access-list extended VLAN40_ACL
10 permit ip 10.175.115.0 0.0.0.255 10.0.0.0 0.0.0.255
20 deny ip any any
ip access-list extended RANGE_172/16_ACL
10 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255
20 deny ip any any
!
!
!
end

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to bino

‎09-12-2022 09:13 AM

you have two ACL apply to VLAN 
one apply to SVI 
other apply to VLAN 
can you make it one ACL apply to VLAN because the VLAN ACL can filter intra and inter VLAN traffic.

paul driver
VIP
VIP

‎09-12-2022 02:14 PM

Hello

@bino wrote:

Hi I would like to get help from you guys for deny traffic at same Vlan.

(I am using 9300 switch no router or firewall connected )

I have some vlan 10, 20, 30 ,40

Vlan 10 172.16.103.0/16

Vlan 20 192.168.20.0/24

Vlan 30 192.16.30.0/24

Vlan 40 10.0.0.0/ 24

What I need is deny all traffic between vlans expect vlan 40 ( printer ) all should need to print. So no need any blocking from other vlans to 40.

Above I know how to do with ip access-list ACL

 

ip access-list extended vlan10
deny ip 192.168.20.0 0.0.0.255 any
deny any 192.168.30.0 0.0.0.255 any
permit ip any any

int vlan 10
ip access-group vlan 10 OUT


ip access-list extended vlan20
deny ip 172.16.0.0 0.0.255.255 any
deny any 192.168.30.0 0.0.0.255 any
permit ip any any

int vlan 20
ip access-group vlan 20 OUT


ip access-list extended vlan30
deny ip 172.16.0.0 0.0.255.255 any
deny any 192.168.20.0 0.0.0.255 any
permit ip any any

int vlan 30
ip access-group vlan 30 OUT


@bino wrote:

But I need to deny traffic inside vlan 10.

Some computer under vlan 10 no need to communicate between each other.

172.16.103.10-50 need to communicat each other 

172.16.5.10-50 need to communicate each other 

But I need vlan 10 computers need to printer (vlan 40)

Kindly help me for access-list configuration 

I hope I explained well.

Example1 - use a basic protected port if applicable.
int x/x
any host 172.16.103.10-50
switchport protected

int x/x
any host 172.16.103.50-10
switchport protected

Example2: VACL which would become exstensive to manage

access-list 100 permit host 172.16.103.10 host 172.16.103.11
access-list 100 permit host 172.16.103.11 host 172.16.103.10
access-list 100 permit host 172.16.103.10 host 172.16.103.12
access-list 100 permit host 172.16.103.12 host 172.16.103.10
etc.......

vlan acess-map vlan10hosts 10
match ip address 100
action drop

vlan access-map vlan10hosts 99
vlan filter vlan10hosts vlan-list 10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents