Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
2
Helpful
10
Replies

VLAN Segmentation

dianawinsky
Level 1
Level 1

‎10-04-2024 01:52 AM

I'm looking for the best approach to configure VLAN segmentation on a core switch where some VLANs can communicate with each other while others are restricted. Here's the scenario with 5 VLANs:

VLAN 10: Can communicate with VLAN 20 and VLAN 30 only.
VLAN 20: Can communicate with all VLANs, except VLAN 50.
VLAN 30: Can communicate only with VLAN 20.
VLAN 40: Can communicate only with VLAN 10.
VLAN 50: Completely restricted from communicating with any other VLANs.

What would be the most effective way to implement this segmentation? 

Labels:
0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎10-04-2024 02:12 AM

You need to use ACL' there is no other way

MHM

0 Helpful

dianawinsky
Level 1
Level 1
In response to MHM Cisco World

‎10-04-2024 02:38 AM

I used ACLs, but they didn't function properly. I encountered successful pings at first, but when I tried again, the result was a timeout (RTO).

0 Helpful

MHM Cisco World
VIP
VIP
In response to dianawinsky

‎10-04-2024 02:41 AM

Share ACL let me check it 

MHM

0 Helpful

dianawinsky
Level 1
Level 1
In response to MHM Cisco World

‎10-04-2024 03:04 AM - edited ‎10-04-2024 03:05 AM

Here's what i have configured:

 

ip access-list extended VLAN10
deny ip 192.20.10.0 0.0.0.255 192.20.40.0 0.0.0.255
deny ip 192.20.10.0 0.0.0.255 192.20.50.0 0.0.1.255
permit udp any any eq 67
permit udp any any eq 68
permit ip 192.20.10.0 0.0.0.255 any


ip access-list extended VLAN20
deny ip 192.20.20.0 0.0.0.255 192.20.50.0 0.0.1.255
permit udp any any eq 67
permit udp any any eq 68
permit ip 192.20.10.0 0.0.0.255 any


ip access-list extended VLAN30
deny ip 192.20.30.0 0.0.1.255 192.20.10.0 0.0.0.255
deny ip 192.20.30.0 0.0.1.255 192.20.40.0 0.0.0.255
deny ip 192.20.30.0 0.0.1.255 192.20.50.0 0.0.1.255
permit ip 192.20.30.0 0.1.0.255 any


ip access-list extended VLAN40
deny ip 192.20.40.0 0.0.0.255 192.20.20.0 0.0.0.255
deny ip 192.20.40.0 0.0.0.255 192.20.30.0 0.0.1.255
deny ip 192.20.40.0 0.0.0.255 192.20.50.0 0.0.1.255
permit ip 192.20.40.0 0.0.0.255 any


ip access-list extended VLAN50
deny ip 192.20.50.0 0.0.1.255 192.20.10.0 0.0.0.255
deny ip 192.20.50.0 0.0.1.255 192.20.20.0 0.0.0.255
deny ip 192.20.50.0 0.0.1.255 192.20.30.0 0.0.1.255
deny ip 192.20.30.0 0.0.1.255 192.20.40.0 0.0.0.255
permit udp any any eq 67
permit udp any any eq 68
permit ip 192.20.50.0 0.0.1.255 any

 

then each int vlan is ip access-group [vlan] in

MHM Cisco World
VIP
VIP
In response to dianawinsky

‎10-04-2024 03:14 AM

Let start 

""VLAN 10: Can communicate with VLAN 20 and VLAN 30 only.
VLAN 20: Can communicate with all VLANs, except VLAN 50.""

ip access-list extended VLAN10
deny ip 192.20.10.0 0.0.0.255 192.20.40.0 0.0.0.255 <<- this deny vlan10 to vlan40
deny ip 192.20.10.0 0.0.0.255 192.20.50.0 0.0.1.255 <<- deny vlan10 to vlan50
permit udp any any eq 67<<- are the dhcp server in vlan40 or vpan 50?
permit udp any any eq 68
permit ip 192.20.10.0 0.0.0.255 any <<- permit any 

For vlan 20 and vlan 30

ip access-list extended VLAN20
deny ip 192.20.20.0 0.0.0.255 192.20.50.0 0.0.1.255
permit udp any any eq 67
permit udp any any eq 68
permit ip 192.20.10.0 0.0.0.255 any <<- the IP wrong it must 192.20.20.0 


ip access-list extended VLAN30
deny ip 192.20.30.0 0.0.1.255 192.20.10.0 0.0.0.255<<- this wrong since vlan 10 need to connect vlan30 and wildcard wrong it must be 0.0.0.255
deny ip 192.20.30.0 0.0.1.255 192.20.40.0 0.0.0.255
deny ip 192.20.30.0 0.0.1.255 192.20.50.0 0.0.1.255
permit ip 192.20.30.0 0.1.0.255 any <<- wildcard wrong it must 0.0.0.255

Do above and check ping between vlan10 abd vlan 20 and vlan30

MHM 

0 Helpful

dianawinsky
Level 1
Level 1
In response to MHM Cisco World

‎10-04-2024 04:40 AM

ops, those are typos, i typed only the command here.

the core switch is the DHCP server, so I have also configured the DHCP pool.

the ip address of vlan 30 is 192.20.30.0/23 so that's why the wildcard mask is 0.0.1.255

MHM Cisco World
VIP
VIP
In response to dianawinsky

‎10-05-2024 06:02 AM

Overirde the wildcard note' I also write other note did you check it?

Also dis you check ping from vlan10 to vlan20 after correct wrong I notice?

MHM

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎10-04-2024 03:09 AM

ACL

0 Helpful

paul driver
VIP
VIP

‎10-04-2024 03:15 AM

Hello
Can you elaborate on this restriction,for example vl10 is allowed to speak to vl20-30 but vl30 is only allowed to speak to vlan20 and not vl10 

Do you wish to only allow established tcp sessions initiated from the restricted vlans?.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

dianawinsky
Level 1
Level 1
In response to paul driver

‎10-05-2024 04:15 AM

Hi. No need for session-based restrictions, just basic VLAN communication rules.

0 Helpful
Customers Also Viewed These Support Documents