Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
3
Replies

vlan routing

evanderwal
Level 1
Level 1

‎05-26-2014 02:04 AM - edited ‎03-07-2019 07:32 PM

Hello,  

We are using vlan routing at our company to connect to different vlans from our management vlan. Now we want the management vlan to be able to talk to all the other vlans. but all other vlans not together. explained briefly: host a is allowed to host b but  host b should not be allowed to host a. now I have created an ACL so VLAN 102 cant talk to VLAN 20. but then the ACL blocked the entire traffic between two hosts which is not the intention. Does anyone has a solution for me? Here below my config. It's an layer 3 switch.

 

some help would be great!

 

ip routing

 

interface Vlan1
 no ip address
 shutdown
!
interface Vlan101
 ip address 10.10.20.1 255.255.255.0
!
interface Vlan102
 ip address 172.32.16.1 255.255.255.0
 ip access-group Drop_201 in
!
interface Vlan201
 ip address 10.20.0.1 255.255.255.192
!
interface Vlan205
 ip address 10.20.1.1 255.255.255.192
!
interface Vlan206
 ip address 10.20.1.65 255.255.255.192


ip access-list extended Drop_201
 permit icmp any any
 deny ip any 172.32.16.0 0.0.0.255 10.20.0.1 0.0.0.63
 permit ip any any

 

Labels:
0 Helpful
3 Replies 3

Mitesh Manwatkar
Level 1
Level 1

‎05-26-2014 10:24 PM

Hi,

I would suggest you to use vlan acl as it will works better for vlan filtering method.

The sample config is as follows.

ip access-list standard Permit_Traffic
permit any

ip access-list standard Deny_Traffic
permit 172.32.16.0 0.0.0.255

vlan access-map BLOCK_VLAN20 10
match ip address Deny_Traffic
action drop

vlan access-map BLOCK_VLAN20 20
match ip address Permit_Traffic
action forward

vlan filter BLOCK_VLAN20 vlan-list  20

after applying this,host from vlan 102 will not be able to communicate with vlan 20 but others.

I hope it will clear your issue.

Regards.

0 Helpful

evanderwal
Level 1
Level 1
In response to Mitesh Manwatkar

‎06-11-2014 07:20 AM

Hi, Thanks for answering. I will give you a reply if i have tested it!

0 Helpful

evanderwal
Level 1
Level 1
In response to Mitesh Manwatkar

‎06-12-2014 04:57 AM

Hi Mitesh Manwatkar,

I tried what you suggest but it doesn't work. It blocks the entire traffic between vlans and thats not right. it has to be that vlan10 can acces vlan 20 but vlan 20 cant acces vlan 10 for example. Do you have other options for me ?

 

Kind regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card