04-23-2019 11:13 PM
nt vlan 52
ip access-group TEST in
ip access-group TEST out
Int vlan 42
ip access-group TEST in
ip access-group TEST out
ip access-list extended TEST
permit ip 10.10.56.0 0.0.0.255 any
permit ip any 10.10.56.0 0.0.0.255
deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip 10.10.42.0 0.0.0.255 any
permit ip any any
I have configured but i want vlan 56 should not communicate with vlan 42
Solved! Go to Solution.
04-24-2019 12:13 AM
Hi there,
It is worth pointing out that these router ACLs are stateless. So whilst @Deepak Kumar scenario 1 would stop a traffic stream sourced from VLAN56 destined to VLAN42, it would also block the return traffic of a stream initiated from VLAN42 to VLAN56.
If you want a two-way traffic stream initiated from VLAN42 to VLAN56 to be permitted then I suggest you look at implementing ZBF (or CBAC depending on the age of the device) which would keep a connection state table.
cheers,
Seb.
04-23-2019 11:56 PM
HI,
Your ACL configuration will be like:
int vlan 56
ip access-group TEST out
!
ip access-list extended TEST
deny ip 10.10.56.0 0.0.0.255 10.10.42.0 0.0.0.255
permit ip any any
If you want to block access both way then ACL configuration will be like
int vlan 42
ip access-group TEST2 out
!
ip access-list extended TEST2
deny ip 10.10.42.0 0.0.0.255 10.10.56.0 0.0.0.255
permit ip any any
!
int vlan 56
ip access-group TEST out
!
ip access-list extended TEST
deny ip 10.10.56.0 0.0.0.255 10.10.42.0 0.0.0.255
permit ip any any
04-24-2019 12:13 AM
Hi there,
It is worth pointing out that these router ACLs are stateless. So whilst @Deepak Kumar scenario 1 would stop a traffic stream sourced from VLAN56 destined to VLAN42, it would also block the return traffic of a stream initiated from VLAN42 to VLAN56.
If you want a two-way traffic stream initiated from VLAN42 to VLAN56 to be permitted then I suggest you look at implementing ZBF (or CBAC depending on the age of the device) which would keep a connection state table.
cheers,
Seb.
04-24-2019 02:12 AM - edited 04-24-2019 02:18 AM
Hello
Isn't this a duplicate post ?
https://community.cisco.com/t5/switching/how-to-configure-vlan-comunicating/m-p/3842407#M464182
Your original request was to have vlan 42 to be able to communicate to vlan 52 but not vlan 52 to communicate to vlan 42.
Example provided was:
To allow established tcp traffic to be able return into vlan 42, unfortunately this will not work for UDP as the protocol is connectionless so udp can be allowed or denied
vlan 42 =192.168.42.0/24
vlan 56 =192.168.56.0/24
Ip access-list extended TST
Permit tcp 192.168.56.0 0.0.0.255 any established
deny tcp 192.168.56.0 0.0.0.255 any
permit ip any any
int vlan 42
Ip access-group TST out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide