cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
815
Views
0
Helpful
6
Replies

VLAN communication

avkommoju
Level 1
Level 1

Hi there

 

I'm new to this forum. I have a problem with VLANs. We have a Cat4500 L3 switch configured with different vlans. Now we need to configure a new vlan for Projectors and we want only certain vlans to access this new Projectors vlan. For example, let's call this Projectors vlan as vlan 10 and existing vlans as 5,6,7 & 8. We want only only 5,6,7,& 8 vlans to access vlan 10. Someone told me to use VACL which I have no idea about. Can anyone guide me. Thanks in advance.

Regards

6 Replies 6

Deepak Kumar
VIP Alumni
VIP Alumni

Hi, 

I am in confuse with your comment "For example, let's call this Projectors vlan as vlan 10 and existing vlans as 5,6,7 & 8. We want only only 5,6,7,& 8 vlans to access vlan 10."

 

According to your comment, All VLANs are allowed to communicate with VLAN 10. May I didn't get your point or there is a typo.  

 

I am sharing some good posts about VACL and configuration examples. Please read and apply the same. 

 

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/vacl.pdf

 

Regards,

Deepak Kumar

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak

Thanks for the reply. I'll look into the links. My comment is, there are 10 Vlans (say vlan 2,3,4,5,6,7,8,9,11,12) currently exist and I'm going to create a new vlan for projectors (vlan 10). I want only 5,6,7,& 8 vlans to be able to access vlan 10 and not other vlans. Means only the users in these 5,6,7,& 8 vlan should able to access the vlan 10 and not others. Hope this clarified. Thanks in advance.

Regards

Hi,
Thanks for clarifying the point. Check the mentioned link.

Regards,
Deepak
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak

Apologies for the delay as i was on holiday. I followed the guide from the link and tried in my simulator. Looks like it is not working. Please see the  core switch config below and the attached test network diagram. WHat I'm looking to achieve is VLAN7 (in RED) should not be able to access VLAN10 (in Green). But all other VLANs should access.

 

Core#sh run
Building configuration...

Current configuration : 2648 bytes
!
Version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Core
!
!
!
!
ip subnet-zero
!
ip cef
no ip domain-lookup
spanning-tree mode pvst
ip routing
spanning-tree extend system-id
!
vlan access-map test 100
 match ip address test
 action drop
vlan filter test vlan-list 7
!
!
!
!
!
!
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
 switchport trunk encapsulation dot1q
!
interface FastEthernet1/0/23
 switchport trunk encapsulation dot1q
!
interface FastEthernet1/0/24
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
!
interface Vlan 1
 ip address 172.25.175.254 255.255.255.192
 no ip route-cache
!
interface Vlan0003
 ip address 172.16.143.126 255.255.255.128
 no ip route-cache
!
interface Vlan0005
 ip address 172.16.143.222 255.255.255.240
 no ip route-cache
!
interface Vlan0007
 ip address 172.16.143.190 255.255.255.192
 no ip route-cache
!
interface Vlan0009
 ip address 172.16.143.254 255.255.255.224
 no ip route-cache
!
interface Vlan0010
 ip address 172.25.172.126 255.255.255.128
 no ip route-cache
!
interface Vlan0203
 ip address 172.25.173.254 255.255.255.0
 no ip route-cache
!
interface Vlan0204
 ip address 172.25.174.254 255.255.255.0
 no ip route-cache
!
vlan 3 name WIRELESS_EMPLOYEES
vlan 5 name WIRELESS_GUESTS
vlan 7 name WIRELESS_SCANNERS
vlan 9 name WIRELESS_MANAGEMENT
vlan 10 name PROJECTORS
vlan 203 name DHCP_OFFICE
vlan 204 name DHCP_WORKSHOP
!
!
!
ip classless
no ip http server
!
ip access-list extended TEST
 permit ip 172.25.174.0 0.0.0.255 172.25.172.0 0.0.0.127
 permit ip 172.25.173.0 0.0.0.255 172.25.172.0 0.0.0.127
 permit ip 172.16.143.208 0.0.0.15 172.25.172.0 0.0.0.127
 permit ip 172.16.143.0 0.0.0.127 172.25.172.0 0.0.0.127
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
no scheduler allocate
end
Please suggest if any changes to be done.

Regards

Adi

Hi, 

Change your configuration as below:

 

ip access-list extended TEST

 permit IP 172.16.143.128 0.0.0.63 172.25.172.0 0.0.0.127

 permit IP 172.25.172.0 0.0.0.127 172.16.143.128 0.0.0.63

!

!

vlan access-map test 100
 match ip address test 
 action drop

exit

!

vlan access-map test 101

action forward

exit

 

!
vlan filter test vlan-list 7

 

 

Regards,

Deepak Kumar

 

 

 


 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

jeetkulkarni
Level 1
Level 1
They are referring vlan access lists. Agree with Deepak as all other VLANs should have access to the new VLAN. You have to make sure that the trunk/uplink ports between the switches have VLANs allowed so that communication is established without any hassle.

Please rate useful posts.
HTH
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco