11-06-2009 10:13 PM - edited 03-06-2019 08:29 AM
Hello Everyone !!!
I have one query on vlan ACL
like I have three vlans
vlan 5 (5.5.5.1 255.255.255.0)
vlan 10 (10.10.10.1 255.255.255.0) server
vlan 15 (15.15.15.1 255.255.255.0)
Now I want to give access to host from vlan 5 and 15 to access vlan 10 server only and traffic between them is blocked.
so how it will be configured.
Thanks
11-07-2009 12:06 AM
Hi sharma16031981
there are some of ACL commands can block the traffic that between vlan 5 and vlan 15 .
access-list 10 deny 5.5.5.0 0.0.0.255
access-list 10 permit any
ip access-group 10 in (this commad to configure the router (or multiswitch )subinterface on the Vlan 15
access-list 15 deny 15.15.15.0 0.0.0.255
access-list 15 permit any
ip access-group 15 in (this commad to configure the router (or multiswitch )
subinterface on the Vlan 5
I hope these will be helpful for you .
Long Fan ..
11-07-2009 02:11 AM
Dear Sharma,
This may solve your requirement:
You can use acl's to limit the access between vlans. For example :-
vlan 5 = 5.5.5.0/24
vlan 10 = 10.10.10.0/24
vlan 15 = 15.15.15.0/24
As you want to allow traffic from vlan 5 and 15 to access only vlan 10 (servers) :
access-list 101 permit ip 5.5.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 15.15.15.0 0.0.0.255 10.10.10.0 0.0.0.255
interface vlan 5 (or subinterface for the vlan 5)
ip access-group 101 in
interface vlan 15 (or subinterface for the vlan 15)
ip access-group 102 in
**********
But this will block all other traffic except to vlan 10. If you want to block the traffic between vlan 5 and vlan 15 only then Long Fan's ACL will work fine.
Regards,
Anser
11-07-2009 09:52 PM
Hi,
when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways.
If i have applied this acl then is there any thing I have to do on server vlan
or
If there is an acl already on server vlan then will that allow access or some changes need to done
11-07-2009 11:02 PM
***when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways***
Yes you cannot ping their gateways because you have allowed only 10.10.10.0/24 network. You have to allow everything that you need more.
***If i have applied this acl then is there any thing I have to do on server vlan ***
It depend on the requirement. Now you do not need.
****or
If there is an acl already on server vlan then will that allow access or some changes need to done***
Yes, you need to allow vlan 5 & 10 subnets.
Note: If you only need to block traffic between vlan 5 & 10 then create the standard deny acl for vlan 5 and vlan 10 as mentioned in the Long Fan post.
Regards,
Anser
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: