Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1959
Views
5
Helpful
21
Replies

VLAN ACL

Go to solution
hs08
Spotlight
Spotlight

‎02-07-2023 04:56 AM

Hello,

How we can make vlan access list to permit traffic from host in vlan A to vlan B but deny traffic from host in vlan B to vlan A

Labels:
21 Replies 21

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to hs08

‎02-10-2023 05:56 PM

Don't believe so, unless you mean two way communication, but why do you believe so?

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-07-2023 09:40 AM

How?

Either an egress ACL on VLAN B's SVI blocking traffic to VLAN A's IPs, or an ingress ACL on VLAN A's SVI blocking traffic from VLAN B's IPs.

BTW, although either ACL will accomplish your stated goal, blocking all traffic in one direction tends to break most network protocols as they expect two way communication.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎02-10-2023 05:17 PM - edited ‎02-10-2023 05:34 PM

Now until I run lab and share config I will provide you some point 
traffic must classify into 
UDP <<- here you must allow traffic between VLAN's
TCP <<- you can use reflexive ACL or established keyword in acl 
 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html
ICMP <<- this need allow only the echo-reply not echo from VLAN B to VLAN A 

that how should your ACL config. 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎02-10-2023 06:10 PM

"that how should your ACL config."

BTW, I did, early on, mention the stated requirement would break most network protocols as they expect two way communication, but OP did not revise requirement.

What you're describing is along the (more real-world) lines of VLAN A can initiate two communication with VLAN B, but the converse is not to be allowed.  (I.e. firewall like or firewall lite communications.)

Also BTW, reflexive ACLs also support (some) non-TCP protocols too; your reference mentions using reflexives ACLs with TCP, UDP, ICMP, IGMP and other protocols.  I.e. using reflexive ACLs may negate your UDP and ICMP statements.

0 Helpful

Go to solution
hs08
Spotlight
Spotlight
In response to MHM Cisco World

‎02-10-2023 08:47 PM

Hello,

Now i undertand to full fill my request i should not permit ip because with pemit ip traffic from vlan 10 can be communicate woth vlan 20 and vice versa. I should use spesific permit port and protocol rather than use permit ip. Am i right?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to hs08

‎02-10-2023 08:55 PM

Yes you are correct.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to hs08

‎02-11-2023 04:04 AM

"Am I right?"

With regard to your (repeatedly) stated goal/requirement, no!

If your goal/requirement is NOW is to allow SOME two way traffic from VLAN 20 to VLAN 10, then you will need additional ACEs before the ACEs in the ACLs I provided, unless you want to block VLANs 10 & 20 from any other networks not in their VLANs.

When @MHM Cisco World suggested using TCP's established and/or reflexive ACLs, that's a wildcard match for lots of traffic (which is quite fine if that's your goal/requirement).

Again, YOU need to be precise in what you want to accomplish, or likewise, and more often the case, obtain from whoever you are working with exactly what's the desired results.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card