cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

149
Views
0
Helpful
1
Replies
Highlighted

VACL - restricting vlan access

Hi, I have three vlans that would like to configure not to access each vlan users to other. VLan 116-117 users can't access to vlan 118 and vice versa.

Can you help me build the configs. Here is the config i am working. I am still creating vlan access map

 

spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 100,107-108,116-117,123-125,999-1000 priority 4096
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
 switchport access vlan 1000
 switchport mode access
!
interface Port-channel2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 106,116,117,123-125,999,1000 !need to add 118
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 116,117,123,999 !need to add 118
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 udld port aggressive
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 116,117,123,999 !need to add 118
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 udld port aggressive
!
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 116,117,123,999 !need to add 118
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 udld port aggressive

!


interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
 
 switchport access vlan 1000
 switchport mode access
 channel-group 1 mode on
!
interface GigabitEthernet0/21
 
 switchport access vlan 1000
 switchport mode access
 channel-group 1 mode on
!
interface GigabitEthernet0/22
 
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 106,999
 switchport mode trunk
 switchport nonegotiate
!
interface GigabitEthernet0/23

 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 106,116,117,123-125,999,1000 !need to add 118
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 channel-group 2 mode on
!
interface GigabitEthernet0/24
 
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 106,116,117,123-125,999,1000 !need to add 118
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 channel-group 2 mode on
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
 no ip address
!
interface Vlan106
 ip address 10.16.6.11 255.255.255.0
 ip access-group V106ACL in
 standby 1 ip 10.16.6.1
 standby 1 preempt
!
interface Vlan116
 ip address 10.16.16.11 255.255.255.0
 ip access-group V116ACL in
 ip helper-address 10.16.24.20
 ip helper-address 10.16.24.21
 standby 1 ip 10.16.16.1
 standby 1 preempt
!
interface Vlan117
 ip address 10.16.17.11 255.255.255.0
 ip access-group V117ACL in
 ip helper-address 10.16.24.20
 ip helper-address 10.16.24.21
 standby 1 ip 10.16.17.1
 standby 1 preempt
!

!need to add 118

!
interface Vlan123
 ip address 10.16.23.11 255.255.255.0
 standby 1 ip 10.16.23.1
 standby 1 preempt
!
interface Vlan124
 ip address 10.16.24.11 255.255.255.0
 standby 1 ip 10.16.24.1
 standby 1 preempt
!
interface Vlan125
 ip address 10.16.25.11 255.255.255.0
 standby 1 ip 10.16.25.1
 standby 1 preempt
!
interface Vlan999
 ip address 10.16.63.11 255.255.255.0
 standby 1 ip 10.16.63.1
 standby 1 preempt
!
interface Vlan1000
 ip address 10.16.31.1 255.255.255.0
!
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.16.31.251
ip route 10.16.0.0 255.255.255.0 10.16.6.254
ip route 192.168.10.16 255.255.255.240 10.16.31.254
!
ip access-list extended V106ACL
 permit ip 10.16.0.0 0.0.63.255 192.168.10.0 0.0.0.31
 permit ip 10.16.0.0 0.0.7.255 10.16.23.0 0.0.0.255
 permit ip 10.16.23.0 0.0.0.255 10.16.0.0 0.0.0.255
 permit ip host 10.16.0.10 10.16.16.0 0.0.0.255
 permit ip host 10.16.0.10 10.16.17.0 0.0.0.255
 permit udp 10.16.0.0 0.0.7.255 host 10.16.31.252 eq ntp
 permit udp 10.16.0.0 0.0.7.255 host 10.16.31.253 eq ntp
 permit udp any any eq 1985
 deny   ip any any
ip access-list extended V116ACL
 permit ip 10.16.16.0 0.0.0.255 10.16.0.0 0.0.255.255
 permit tcp 10.16.16.0 0.0.0.255 any eq www
 permit tcp 10.16.16.0 0.0.0.255 any eq 443
 permit icmp 10.16.16.0 0.0.0.255 any
 permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 143
 permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 993
 permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 995
 permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq smtp
 permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 465
 permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 587
 permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.137 eq 995
 permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.137 eq pop3
 permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.136 eq 587
 permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.136 eq smtp
 permit udp any any eq bootps
 permit udp any any eq 1985
 deny   ip any any
ip access-list extended V117ACL
 permit ip 10.16.17.0 0.0.0.255 10.16.0.0 0.0.255.255
 permit tcp 10.16.17.0 0.0.0.255 any eq www
 permit tcp 10.16.17.0 0.0.0.255 any eq 443
 permit icmp 10.16.17.0 0.0.0.255 any
 permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 143
 permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 993
 permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 995
 permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq smtp
 permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 465
 permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 587
 permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.137 eq 995
 permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.137 eq pop3
 permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.136 eq 587
 permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.136 eq smtp
 permit udp any any eq bootps
 permit udp any any eq 1985
 deny   ip any any

 

!need to add ip access list for 118

*************

 

this is what i will add, for comments:

 

ip access-list extended V118ACL
 permit ip 10.16.18.0 0.0.0.255 10.16.0.0 0.0.255.255
 permit tcp 10.16.18.0 0.0.0.255 any eq www
 permit tcp 10.16.18.0 0.0.0.255 any eq 443
 permit icmp 10.16.18.0 0.0.0.255 any
 permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 143
 permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 993
 permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 995
 permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq smtp
 permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 465
 permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 587
 permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.137 eq 995
 permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.137 eq pop3
 permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.136 eq 587
 permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.136 eq smtp
 permit udp any any eq bootps
 permit udp any any eq 1985
 deny   ip any any
!
vlan access-map VACL118 10
match ip address V118ACL
action forward
!
vlan filter VACL118 vlan-list 116-118

 

 

 

Everyone's tags (3)
1 REPLY 1

anyone???

anyone???

CreatePlease to create content
Content for Community-Ad