Re: VLAN ACL

sharma16031981 · ‎11-06-2009

Hello Everyone !!!

I have one query on vlan ACL

like I have three vlans

vlan 5 (5.5.5.1 255.255.255.0)

vlan 10 (10.10.10.1 255.255.255.0) server

vlan 15 (15.15.15.1 255.255.255.0)

Now I want to give access to host from vlan 5 and 15 to access vlan 10 server only and traffic between them is blocked.

so how it will be configured.

Thanks

fanlongkf · ‎11-07-2009

Hi sharma16031981

there are some of ACL commands can block the traffic that between vlan 5 and vlan 15 .

access-list 10 deny 5.5.5.0 0.0.0.255

access-list 10 permit any

ip access-group 10 in (this commad to configure the router (or multiswitch )subinterface on the Vlan 15

access-list 15 deny 15.15.15.0 0.0.0.255

access-list 15 permit any

ip access-group 15 in (this commad to configure the router (or multiswitch )

subinterface on the Vlan 5

I hope these will be helpful for you .

Long Fan ..

Muhammad Anser Khan · ‎11-07-2009

Dear Sharma,

This may solve your requirement:

You can use acl's to limit the access between vlans. For example :-

vlan 5 = 5.5.5.0/24

vlan 10 = 10.10.10.0/24

vlan 15 = 15.15.15.0/24

As you want to allow traffic from vlan 5 and 15 to access only vlan 10 (servers) :

access-list 101 permit ip 5.5.5.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 15.15.15.0 0.0.0.255 10.10.10.0 0.0.0.255

interface vlan 5 (or subinterface for the vlan 5)

ip access-group 101 in

interface vlan 15 (or subinterface for the vlan 15)

ip access-group 102 in

**********

But this will block all other traffic except to vlan 10. If you want to block the traffic between vlan 5 and vlan 15 only then Long Fan's ACL will work fine.

Regards,

Anser

sharma16031981 · ‎11-07-2009

Hi,

when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways.

If i have applied this acl then is there any thing I have to do on server vlan

or

If there is an acl already on server vlan then will that allow access or some changes need to done

Muhammad Anser Khan · ‎11-07-2009

***when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways***

Yes you cannot ping their gateways because you have allowed only 10.10.10.0/24 network. You have to allow everything that you need more.

***If i have applied this acl then is there any thing I have to do on server vlan ***

It depend on the requirement. Now you do not need.

****or

If there is an acl already on server vlan then will that allow access or some changes need to done***

Yes, you need to allow vlan 5 & 10 subnets.

Note: If you only need to block traffic between vlan 5 & 10 then create the standard deny acl for vlan 5 and vlan 10 as mentioned in the Long Fan post.

Regards,

Anser