VLAN ACL

Unanswered Question
Nov 6th, 2009
User Badges:

Hello Everyone !!!


I have one query on vlan ACL

like I have three vlans


vlan 5 (5.5.5.1 255.255.255.0)

vlan 10 (10.10.10.1 255.255.255.0) server

vlan 15 (15.15.15.1 255.255.255.0)


Now I want to give access to host from vlan 5 and 15 to access vlan 10 server only and traffic between them is blocked.


so how it will be configured.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fanlongkf Sat, 11/07/2009 - 00:06
User Badges:

Hi sharma16031981

there are some of ACL commands can block the traffic that between vlan 5 and vlan 15 .

access-list 10 deny 5.5.5.0 0.0.0.255

access-list 10 permit any

ip access-group 10 in (this commad to configure the router (or multiswitch )subinterface on the Vlan 15


access-list 15 deny 15.15.15.0 0.0.0.255

access-list 15 permit any

ip access-group 15 in (this commad to configure the router (or multiswitch )

subinterface on the Vlan 5


I hope these will be helpful for you .


Long Fan ..

Muhammad Anser Khan Sat, 11/07/2009 - 02:11
User Badges:

Dear Sharma,


This may solve your requirement:


You can use acl's to limit the access between vlans. For example :-


vlan 5 = 5.5.5.0/24

vlan 10 = 10.10.10.0/24

vlan 15 = 15.15.15.0/24


As you want to allow traffic from vlan 5 and 15 to access only vlan 10 (servers) :


access-list 101 permit ip 5.5.5.0 0.0.0.255 10.10.10.0 0.0.0.255


access-list 102 permit ip 15.15.15.0 0.0.0.255 10.10.10.0 0.0.0.255


interface vlan 5 (or subinterface for the vlan 5)

ip access-group 101 in



interface vlan 15 (or subinterface for the vlan 15)

ip access-group 102 in


**********


But this will block all other traffic except to vlan 10. If you want to block the traffic between vlan 5 and vlan 15 only then Long Fan's ACL will work fine.


Regards,

Anser

sharma16031981 Sat, 11/07/2009 - 21:52
User Badges:

Hi,


when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways.


If i have applied this acl then is there any thing I have to do on server vlan


or


If there is an acl already on server vlan then will that allow access or some changes need to done

Muhammad Anser Khan Sat, 11/07/2009 - 23:02
User Badges:

***when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways***


Yes you cannot ping their gateways because you have allowed only 10.10.10.0/24 network. You have to allow everything that you need more.


***If i have applied this acl then is there any thing I have to do on server vlan ***


It depend on the requirement. Now you do not need.


****or

If there is an acl already on server vlan then will that allow access or some changes need to done***


Yes, you need to allow vlan 5 & 10 subnets.


Note: If you only need to block traffic between vlan 5 & 10 then create the standard deny acl for vlan 5 and vlan 10 as mentioned in the Long Fan post.


Regards,

Anser

Actions

This Discussion