Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access List vLAN

Hi, I have 2 layer vlans created on my core switch. These vlans are advertised on eigrp protocol running on the core switch and subsequently advertised on bgp in the routers connected to the core switch.

 

The 2 Vlans are Vlan 12 and Vlan 13. Vlan 12 is a static Vlan which is to provide IP addresses to all the servers and Vlan 13 is a static Vlan which is to provide IP addresses to the device which is communicating with the server Vlan.

 

My requirement is Vlan 13 should be totally isolated from all other Vlans and traffic except Vlan 13.

 

i.e. Vlan 13 should be reachable via Vlan 12 and Vlan 13 should be not be reachable to any other traffic or any other Vlan. Vlan 13 should be totally isolated in and out traffic both.

 

I have an access-list on Vlan 13 which is a standard access list permitting only Vlan 12 traffic in the outbound direction

 

E.g

 

int Vlan 13

ip address 10.10.10.1 255.255.255.224

ip access-group 13 out

!

!

int Vlan 12

ip address 20.20.20.1 255.255.255.224

!

!

 

access-list 13 permit 20.20.20.0 0.0.0.31

!

!
!

 

But the problem is I can ping Vlan 13 from other Vlans as source from core switch  . i.e.

 

ping ip 10.10.10.3 source Vlan 4 gives me 100% success  and I can ping Vlan 4 using Vlan13 as source.

 

If i try to ping it from outside the network, I can ping Vlan 13 interface but not the Ip addresses in that range.

 

Is the goal achieved in this case, since the access list is applied in outbound direction, I was wondering what about inbound traffic- which in a way will be achieved since outbound traffic wont be allowed to other Vlans for any inbound request.like echo will be allowed but not echo-reply to other Vlan.Just wondering if i am making sense or talking rubbish here. DO i need to make any changes to accomplish the goal to totally isolate Vlan13?

5 REPLIES
Green

Hi,Your access list looks

Hi,

Your access list looks OK

Try using other devices on vlan 13
to test to and from NOT the router/switch

Regards
Alex

Regards, Alex. Please rate useful posts.

Access Lists on SVI's are

Access Lists on SVI's are always in the reverse direction.

Your access list is applied 'outbound' but this actually means inbound as its on an SVI.
Effectively you are saying:

"allow any traffic with a source address of 20.20.20.0 /27 to send traffic to any hosts in subnet 10.10.10.0 /27"

I recreated your setup in Packet Tracer and it seems to work fine, see attached.

PC0 is on Vlan4 (10.10.4.0 /24) and is unable to ping PC2

PC1 is on Vlan12 (20.20.20.0 /27) and is able to ping PC2

==========================================

interface Vlan4
 ip address 10.10.4.1 255.255.255.0
!
interface Vlan12
 ip address 20.20.20.1 255.255.255.224
!
interface Vlan13
 ip address 10.10.10.1 255.255.255.224
 ip access-group 13 out
!
ip classless
!
!
access-list 13 permit 20.20.20.0 0.0.0.31

==========================================

 

 

 

Community Member

disable proxy-arp on

disable proxy-arp on interfaces

Community Member

today i did the same

today i did the same configuration in my office.... 

 

ip access-list extended ALLOW_VLAN13

Permit ip 10.10.10.0 0.0.0.31 20.20.20.0 0.0.0.31

deny ip any 10.10.10.0 0.0.0.31

permit ip any any

 

then apply in your VLAN access list .

 

interface vlan 3

ip access-group ALLOW_VLAN13 in

 

 

 it will be work ........ i hope it will be helpful ..

 

 

 

VIP Purple

HelloDuplicate posthttps:/

Hello
Duplicate post

https://supportforums.cisco.com/discussion/12233651/access-list-query
 

 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
414
Views
0
Helpful
5
Replies
CreatePlease to create content