Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
5
Helpful
3
Replies

VLANs

Go to solution
ramakanth
Level 1
Level 1

‎04-23-2019 11:13 PM

nt vlan 52
ip access-group TEST in
ip access-group TEST out

Int vlan 42
ip access-group TEST in
ip access-group TEST out

ip access-list extended TEST
permit ip 10.10.56.0 0.0.0.255 any
permit ip any 10.10.56.0 0.0.0.255
deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip 10.10.42.0 0.0.0.255 any
permit ip any any

 

I have configured but i want vlan 56 should not communicate with vlan 42

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎04-24-2019 12:13 AM

Hi there,
It is worth pointing out that these router ACLs are stateless. So whilst @Deepak Kumar  scenario 1 would stop a traffic stream sourced from VLAN56 destined to VLAN42, it would also block the return traffic of a stream initiated from VLAN42 to VLAN56.

If you want a two-way traffic stream initiated from VLAN42 to VLAN56 to be permitted then I suggest you look at implementing ZBF (or CBAC depending on the age of the device) which would keep a connection state table.

 

cheers,
Seb.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎04-23-2019 11:56 PM

HI,

Your ACL configuration will be like:

 

int vlan 56
ip access-group TEST out
!
ip access-list extended TEST

deny ip 10.10.56.0 0.0.0.255 10.10.42.0 0.0.0.255
permit ip any any

 

If you want to block access both way then ACL configuration will be like

 

int vlan 42

ip access-group TEST2 out
!
ip access-list extended TEST2

deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip any any

!

int vlan 56
ip access-group TEST out
!
ip access-list extended TEST

deny ip 10.10.56.0 0.0.0.255 10.10.42.0 0.0.0.255
permit ip any any

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎04-24-2019 12:13 AM

Hi there,
It is worth pointing out that these router ACLs are stateless. So whilst @Deepak Kumar  scenario 1 would stop a traffic stream sourced from VLAN56 destined to VLAN42, it would also block the return traffic of a stream initiated from VLAN42 to VLAN56.

If you want a two-way traffic stream initiated from VLAN42 to VLAN56 to be permitted then I suggest you look at implementing ZBF (or CBAC depending on the age of the device) which would keep a connection state table.

 

cheers,
Seb.

0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-24-2019 02:12 AM - edited ‎04-24-2019 02:18 AM

Hello

Isn't this a duplicate post ?
https://community.cisco.com/t5/switching/how-to-configure-vlan-comunicating/m-p/3842407#M464182

 

Your original request was to have vlan 42 to be able to communicate to vlan 52 but not vlan 52 to communicate to vlan 42.


Example provided was:
To allow established tcp traffic to be able return into vlan 42, unfortunately this will not work for UDP as the protocol is connectionless so udp can be allowed or denied

vlan 42 =192.168.42.0/24
vlan 56 =192.168.56.0/24

Ip access-list extended TST
Permit tcp 192.168.56.0 0.0.0.255 any established
deny tcp 192.168.56.0 0.0.0.255 any
permit ip any any

int vlan 42
Ip access-group TST out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card