Solved: Re: VLAN ACL

hs08 · ‎02-07-2023

Hello,

How we can make vlan access list to permit traffic from host in vlan A to vlan B but deny traffic from host in vlan B to vlan A

MHM Cisco World · ‎02-10-2023

Now until I run lab and share config I will provide you some point
traffic must classify into
UDP <<- here you must allow traffic between VLAN's
TCP <<- you can use reflexive ACL or established keyword in acl
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html
ICMP <<- this need allow only the echo-reply not echo from VLAN B to VLAN A

that how should your ACL config.

View solution in original post

MHM Cisco World · ‎02-07-2023

Yes sure.

hs08 · ‎02-08-2023

how?

Joseph W. Doherty · ‎02-09-2023

Assuming this is a "homework assignment", why don't you post what you think may work, and we can review it and help you actually LEARN.

hs08 · ‎02-09-2023

Hello,

Let say on vlan 10 i have acl permit ip 10.100.10.0 0.0.0.255 10.100.20.0 0.0.0.255

Then on vlan 20 i have acl permit ip 10.100.20.0 0.0.0.255 10.100.10.0 0.0.0.255

I believe with both acl all hosts from vlan 10 can communicate with all hosts on vlan 20 and vice versa. My question is how we can permit vlan 10 to vlan 20 but deny vlan 20 to vlan 10.

Joseph W. Doherty · ‎02-09-2023

Besides "permit" ACEs you can have "????" ACEs. (What's the question mark word?)

When you use ACLs they might be applied "??" and/or "???". (What's the question mark word?)

hs08 · ‎02-09-2023

beside "permit"
Ext Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment

Joseph W. Doherty · ‎02-09-2023

Yes and you previously wrote: "My question is how we can permit vlan 10 to vlan 20 but deny vlan 20 to vlan 10."

Look at those ACE options and what your question asked.

hs08 · ‎02-09-2023

Hello

Sorry i not get your point,can you give how exactly what acl should i use?

Joseph W. Doherty · ‎02-10-2023

What are the networks prefixes for VLANs 10 (?) and 20 (?)?

hs08 · ‎02-10-2023

Vlan 10 is 10.100.10.0/24 and Vlan 20 is 10.100.20.0/24

MHM Cisco World · ‎02-10-2023

Sorry I was busy, I will share config with you tomorrow.

Joseph W. Doherty · ‎02-10-2023

Okay, you can either block VLAN B being sent to VLAN A or block VLAN B entering VLAN A.

interface Vlan10
ip address 10.100.10.1 255.255.255.0
ip access-group 10 in

access-list 10 deny 10.100.20.0 0.0.0.255
access-list 10 permit any

!== or ==

interface Vlan20
ip address 10.100.20.1 255.255.255.0
ip access-group 120 out

access-list 120 deny ip any 10.100.10.0 0.0.0.255
access-list 120 permit ip any any

Joseph W. Doherty · ‎02-10-2023

Oh, forgot to mention, by default, all traffic passes. I.e. you don't need to create ACLs, by default, to allow traffic between two VLANs.

hs08 · ‎02-10-2023

Hello

I believe with that acl the traffic will drop communication from vlan 10 to vlan 20, and from vlan 20 to vlan 10. Am i right?