VLAN ACL

Unanswered Question
Nov 6th, 2009

Hello Everyone !!!

I have one query on vlan ACL

like I have three vlans

vlan 5 (5.5.5.1 255.255.255.0)

vlan 10 (10.10.10.1 255.255.255.0) server

vlan 15 (15.15.15.1 255.255.255.0)

Now I want to give access to host from vlan 5 and 15 to access vlan 10 server only and traffic between them is blocked.

so how it will be configured.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fanlongkf Sat, 11/07/2009 - 00:06

Hi sharma16031981

there are some of ACL commands can block the traffic that between vlan 5 and vlan 15 .

access-list 10 deny 5.5.5.0 0.0.0.255

access-list 10 permit any

ip access-group 10 in (this commad to configure the router (or multiswitch )subinterface on the Vlan 15

access-list 15 deny 15.15.15.0 0.0.0.255

access-list 15 permit any

ip access-group 15 in (this commad to configure the router (or multiswitch )

subinterface on the Vlan 5

I hope these will be helpful for you .

Long Fan ..

Muhammad Anser Khan Sat, 11/07/2009 - 02:11

Dear Sharma,

This may solve your requirement:

You can use acl's to limit the access between vlans. For example :-

vlan 5 = 5.5.5.0/24

vlan 10 = 10.10.10.0/24

vlan 15 = 15.15.15.0/24

As you want to allow traffic from vlan 5 and 15 to access only vlan 10 (servers) :

access-list 101 permit ip 5.5.5.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 15.15.15.0 0.0.0.255 10.10.10.0 0.0.0.255

interface vlan 5 (or subinterface for the vlan 5)

ip access-group 101 in

interface vlan 15 (or subinterface for the vlan 15)

ip access-group 102 in

**********

But this will block all other traffic except to vlan 10. If you want to block the traffic between vlan 5 and vlan 15 only then Long Fan's ACL will work fine.

Regards,

Anser

sharma16031981 Sat, 11/07/2009 - 21:52

Hi,

when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways.

If i have applied this acl then is there any thing I have to do on server vlan

or

If there is an acl already on server vlan then will that allow access or some changes need to done

Muhammad Anser Khan Sat, 11/07/2009 - 23:02

***when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways***

Yes you cannot ping their gateways because you have allowed only 10.10.10.0/24 network. You have to allow everything that you need more.

***If i have applied this acl then is there any thing I have to do on server vlan ***

It depend on the requirement. Now you do not need.

****or

If there is an acl already on server vlan then will that allow access or some changes need to done***

Yes, you need to allow vlan 5 & 10 subnets.

Note: If you only need to block traffic between vlan 5 & 10 then create the standard deny acl for vlan 5 and vlan 10 as mentioned in the Long Fan post.

Regards,

Anser

Actions

This Discussion