Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
0
Helpful
3
Replies

Allow Specific VLAN traffic

rsthakur
Level 1
Level 1

‎02-17-2025 03:46 AM - edited ‎02-17-2025 03:48 AM

You have a 6805 switch with multiple VLANs and want to create an ACL to restrict access as follows:

  • Only VLAN 16 (172.28.40.0/21) and VLAN 30 (172.28.152.0/21) should be allowed to access VLAN 311 (172.23.0.0/21).
  • All other VLAN traffic to VLAN 311 should be denied.     

i have configured the ACL

ip access-list extended VLAN311_ACCESS
permit ip 172.28.40.0 0.0.7.255 172.28.23.0 0.0.7.255
permit ip 172.28.152.0 0.0.7.255 172.28.23.0 0.0.7.255
deny ip any 172.28.23.0 0.0.7.255
permit ip any any

interface vlan 311
ip access-group VLAN311_ACCESS in

but this is not working.

Any Help.

Labels:
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎02-17-2025 04:05 AM - edited ‎02-17-2025 04:07 AM

@rsthakur 

The only part you need is this. As ACL have deny any any at the end, only traffic for vlan 16 and 30 is allowed.

 ip access-list extended VLAN311_ACCESS
permit ip 172.28.40.0 0.0.7.255 172.28.23.0 0.0.7.255
permit ip 172.28.152.0 0.0.7.255 172.28.23.0 0.0.7.255

You can also apply one ACL at vlan 16 and 30

ip access-list extended VLAN16_ACCESS
deny ip any 172.23.0.0 0.0.7.255
permit IP any any

 

interface vlan 16
ip access-group VLAN16_ACCESS out

0 Helpful

rsthakur
Level 1
Level 1

‎02-19-2025 08:29 PM - edited ‎02-19-2025 08:32 PM

  • VLAN 30 (172.28.152.0/21)  should be allowed to access VLAN 311 (172.23.0.0/21).
  • All other VLAN traffic to VLAN 311 should be denied. 

Now, I have applied the command below.

ip access-list extended Camera
permit ip 172.28.152.0 0.0.7.255 172.23.0.0 0.0.7.255
deny ip any 172.23.0.0 0.0.7.255
deny ip any any

put the Above ACL on VLAN 311

interface Vlan311
description Extra Vlan
ip address 172.23.7.254 255.255.248.0
ip access-group Camera in

Then make one more ACL

ip access-list extended VLAN30_Camera
deny ip any 172.23.0.0 0.0.7.255
permit ip any any

and this one put on Vlan 30

interface Vlan30
description CC Lab & CC Management VLAN
ip address 172.28.159.254 255.255.248.0
ip access-group VLAN30_Camera out

But no luck, Its not working

 

 

0 Helpful

srimal99
Level 1
Level 1

‎02-20-2025 01:51 AM

@rsthakur do you have reachability to those subnets from the switch ? and check the port status does it go in to err-disable state ?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card