12-12-2008 01:29 PM - edited 03-06-2019 02:57 AM
Hello all,
If I have multiple vlans on layer 3 switches and one of the vlans I don't want any other vlans to access it. How do I set it up?
thank you very much in advance for your help!
Gene
12-12-2008 01:45 PM
Gene
Assuming vlan 10,11,12 are normal vlans & vlan 20 is the vlan you want to restrict access to
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.6.0/24
vlan 12 = 192.168.7.0/24
vlan 20 = 192.168.20.0/24
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip any 192.168.20.0 0.0.0.255
int vlan 20
ip access-group 101 out
Note that there is a "permit ip any 192.168.20.0 0.0.0.255" at the end of the access-list. This is to allow
any other traffic from other sources and also to allow any return traffic to vlan 20.
So this access-list would stop vlan 10,11,12 accessing any device on vlan 20. But it wouldn't stop vlan 20 device
connecting to vlan 10,11,12 devices. Key thing is the connection would have to be intiated from vlan 20 device.
Jon
12-12-2008 01:59 PM
Hi Jon,
Thank you very much for the solution. I will test it out.
Regards,
Gene
12-14-2008 02:56 AM
Hi,
You say, in the last statement, that vlan 20 would be able to access devices on vlan 10,11 and 12. That is not entirely true. Devices on vlan 20 would be able to send UDP traffic to vlan 10,11, and 12 but if you try with TCP traffic the devices on vlan 20 would not be able to complete their 3-way-handshake becouse all returning traffic would be denied. (Cisco ACLs are not statefull) If you want want vlan 20 to be able to access devices on vlan 10,11 and 12 using TCP,you would have to add:
access-list 101 permit tcp any 192.168.20.0 0.0.0.255 established
at the top of your ACL.
If you want to block ALL traffic to and from vlan 20 you could simply do the following.
access-list 101 deny ip any any
or
access-list 1 deny any
int vlan 20
ip access-group 1 (or 101) out
Regards,
Karl-Johan
12-14-2008 04:48 AM
Karl-Johan
"but if you try with TCP traffic the devices on vlan 20 would not be able to complete their 3-way-handshake becouse all returning traffic would be denied"
Very good point and thanks for pointing out. I was trying to point out that a packet sent from vlan 20 would still get through to the other vlans but as you say TCP connection would fail due to the return traffic.
Jon
10-19-2012 08:00 AM
hi.. let me try this codes then... i have a project tomorrow that really needs this access listing mechanism that prevents other vlans from entering the IT vlan...
testing it now in packet tracer...
05-04-2017 06:00 AM
HI,
Why ip access-group out , not IN ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: