03-02-2015 11:16 PM - edited 03-07-2019 10:55 PM
Hi, I have three vlans that would like to configure not to access each vlan users to other. VLan 116-117 users can't access to vlan 118 and vice versa.
Can you help me build the configs. Here is the config i am working. I am still creating vlan access map
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 100,107-108,116-117,123-125,999-1000 priority 4096
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
switchport access vlan 1000
switchport mode access
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 106,116,117,123-125,999,1000 !need to add 118
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 116,117,123,999 !need to add 118
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
udld port aggressive
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 116,117,123,999 !need to add 118
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
udld port aggressive
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 116,117,123,999 !need to add 118
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
udld port aggressive
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
switchport access vlan 1000
switchport mode access
channel-group 1 mode on
!
interface GigabitEthernet0/21
switchport access vlan 1000
switchport mode access
channel-group 1 mode on
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 106,999
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 106,116,117,123-125,999,1000 !need to add 118
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode on
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 106,116,117,123-125,999,1000 !need to add 118
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode on
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan106
ip address 10.16.6.11 255.255.255.0
ip access-group V106ACL in
standby 1 ip 10.16.6.1
standby 1 preempt
!
interface Vlan116
ip address 10.16.16.11 255.255.255.0
ip access-group V116ACL in
ip helper-address 10.16.24.20
ip helper-address 10.16.24.21
standby 1 ip 10.16.16.1
standby 1 preempt
!
interface Vlan117
ip address 10.16.17.11 255.255.255.0
ip access-group V117ACL in
ip helper-address 10.16.24.20
ip helper-address 10.16.24.21
standby 1 ip 10.16.17.1
standby 1 preempt
!
!need to add 118
!
interface Vlan123
ip address 10.16.23.11 255.255.255.0
standby 1 ip 10.16.23.1
standby 1 preempt
!
interface Vlan124
ip address 10.16.24.11 255.255.255.0
standby 1 ip 10.16.24.1
standby 1 preempt
!
interface Vlan125
ip address 10.16.25.11 255.255.255.0
standby 1 ip 10.16.25.1
standby 1 preempt
!
interface Vlan999
ip address 10.16.63.11 255.255.255.0
standby 1 ip 10.16.63.1
standby 1 preempt
!
interface Vlan1000
ip address 10.16.31.1 255.255.255.0
!
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.16.31.251
ip route 10.16.0.0 255.255.255.0 10.16.6.254
ip route 192.168.10.16 255.255.255.240 10.16.31.254
!
ip access-list extended V106ACL
permit ip 10.16.0.0 0.0.63.255 192.168.10.0 0.0.0.31
permit ip 10.16.0.0 0.0.7.255 10.16.23.0 0.0.0.255
permit ip 10.16.23.0 0.0.0.255 10.16.0.0 0.0.0.255
permit ip host 10.16.0.10 10.16.16.0 0.0.0.255
permit ip host 10.16.0.10 10.16.17.0 0.0.0.255
permit udp 10.16.0.0 0.0.7.255 host 10.16.31.252 eq ntp
permit udp 10.16.0.0 0.0.7.255 host 10.16.31.253 eq ntp
permit udp any any eq 1985
deny ip any any
ip access-list extended V116ACL
permit ip 10.16.16.0 0.0.0.255 10.16.0.0 0.0.255.255
permit tcp 10.16.16.0 0.0.0.255 any eq www
permit tcp 10.16.16.0 0.0.0.255 any eq 443
permit icmp 10.16.16.0 0.0.0.255 any
permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 143
permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 993
permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 995
permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq smtp
permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 465
permit tcp 10.16.16.0 0.0.0.255 host 69.89.1.77 eq 587
permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.137 eq 995
permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.137 eq pop3
permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.136 eq 587
permit tcp 10.16.16.0 0.0.0.255 host 210.198.9.136 eq smtp
permit udp any any eq bootps
permit udp any any eq 1985
deny ip any any
ip access-list extended V117ACL
permit ip 10.16.17.0 0.0.0.255 10.16.0.0 0.0.255.255
permit tcp 10.16.17.0 0.0.0.255 any eq www
permit tcp 10.16.17.0 0.0.0.255 any eq 443
permit icmp 10.16.17.0 0.0.0.255 any
permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 143
permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 993
permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 995
permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq smtp
permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 465
permit tcp 10.16.17.0 0.0.0.255 host 69.89.1.77 eq 587
permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.137 eq 995
permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.137 eq pop3
permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.136 eq 587
permit tcp 10.16.17.0 0.0.0.255 host 210.198.9.136 eq smtp
permit udp any any eq bootps
permit udp any any eq 1985
deny ip any any
!need to add ip access list for 118
*************
this is what i will add, for comments:
ip access-list extended V118ACL
permit ip 10.16.18.0 0.0.0.255 10.16.0.0 0.0.255.255
permit tcp 10.16.18.0 0.0.0.255 any eq www
permit tcp 10.16.18.0 0.0.0.255 any eq 443
permit icmp 10.16.18.0 0.0.0.255 any
permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 143
permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 993
permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 995
permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq smtp
permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 465
permit tcp 10.16.18.0 0.0.0.255 host 69.89.1.77 eq 587
permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.137 eq 995
permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.137 eq pop3
permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.136 eq 587
permit tcp 10.16.18.0 0.0.0.255 host 210.198.9.136 eq smtp
permit udp any any eq bootps
permit udp any any eq 1985
deny ip any any
!
vlan access-map VACL118 10
match ip address V118ACL
action forward
!
vlan filter VACL118 vlan-list 116-118
03-05-2015 05:34 PM
anyone???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide