11-06-2009 10:13 PM - edited 03-06-2019 08:29 AM
Hello Everyone !!!
I have one query on vlan ACL
like I have three vlans
vlan 5 (5.5.5.1 255.255.255.0)
vlan 10 (10.10.10.1 255.255.255.0) server
vlan 15 (15.15.15.1 255.255.255.0)
Now I want to give access to host from vlan 5 and 15 to access vlan 10 server only and traffic between them is blocked.
so how it will be configured.
Thanks
11-07-2009 12:06 AM
Hi sharma16031981
there are some of ACL commands can block the traffic that between vlan 5 and vlan 15 .
access-list 10 deny 5.5.5.0 0.0.0.255
access-list 10 permit any
ip access-group 10 in (this commad to configure the router (or multiswitch )subinterface on the Vlan 15
access-list 15 deny 15.15.15.0 0.0.0.255
access-list 15 permit any
ip access-group 15 in (this commad to configure the router (or multiswitch )
subinterface on the Vlan 5
I hope these will be helpful for you .
Long Fan ..
11-07-2009 02:11 AM
Dear Sharma,
This may solve your requirement:
You can use acl's to limit the access between vlans. For example :-
vlan 5 = 5.5.5.0/24
vlan 10 = 10.10.10.0/24
vlan 15 = 15.15.15.0/24
As you want to allow traffic from vlan 5 and 15 to access only vlan 10 (servers) :
access-list 101 permit ip 5.5.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 15.15.15.0 0.0.0.255 10.10.10.0 0.0.0.255
interface vlan 5 (or subinterface for the vlan 5)
ip access-group 101 in
interface vlan 15 (or subinterface for the vlan 15)
ip access-group 102 in
**********
But this will block all other traffic except to vlan 10. If you want to block the traffic between vlan 5 and vlan 15 only then Long Fan's ACL will work fine.
Regards,
Anser
11-07-2009 09:52 PM
Hi,
when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways.
If i have applied this acl then is there any thing I have to do on server vlan
or
If there is an acl already on server vlan then will that allow access or some changes need to done
11-07-2009 11:02 PM
***when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways***
Yes you cannot ping their gateways because you have allowed only 10.10.10.0/24 network. You have to allow everything that you need more.
***If i have applied this acl then is there any thing I have to do on server vlan ***
It depend on the requirement. Now you do not need.
****or
If there is an acl already on server vlan then will that allow access or some changes need to done***
Yes, you need to allow vlan 5 & 10 subnets.
Note: If you only need to block traffic between vlan 5 & 10 then create the standard deny acl for vlan 5 and vlan 10 as mentioned in the Long Fan post.
Regards,
Anser
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide