Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN ACL

Hello Everyone !!!

I have one query on vlan ACL

like I have three vlans

vlan 5 (5.5.5.1 255.255.255.0)

vlan 10 (10.10.10.1 255.255.255.0) server

vlan 15 (15.15.15.1 255.255.255.0)

Now I want to give access to host from vlan 5 and 15 to access vlan 10 server only and traffic between them is blocked.

so how it will be configured.

Thanks

4 REPLIES
New Member

Re: VLAN ACL

Hi sharma16031981

there are some of ACL commands can block the traffic that between vlan 5 and vlan 15 .

access-list 10 deny 5.5.5.0 0.0.0.255

access-list 10 permit any

ip access-group 10 in (this commad to configure the router (or multiswitch )subinterface on the Vlan 15

access-list 15 deny 15.15.15.0 0.0.0.255

access-list 15 permit any

ip access-group 15 in (this commad to configure the router (or multiswitch )

subinterface on the Vlan 5

I hope these will be helpful for you .

Long Fan ..

Re: VLAN ACL

Dear Sharma,

This may solve your requirement:

You can use acl's to limit the access between vlans. For example :-

vlan 5 = 5.5.5.0/24

vlan 10 = 10.10.10.0/24

vlan 15 = 15.15.15.0/24

As you want to allow traffic from vlan 5 and 15 to access only vlan 10 (servers) :

access-list 101 permit ip 5.5.5.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 15.15.15.0 0.0.0.255 10.10.10.0 0.0.0.255

interface vlan 5 (or subinterface for the vlan 5)

ip access-group 101 in

interface vlan 15 (or subinterface for the vlan 15)

ip access-group 102 in

**********

But this will block all other traffic except to vlan 10. If you want to block the traffic between vlan 5 and vlan 15 only then Long Fan's ACL will work fine.

Regards,

Anser

New Member

Re: VLAN ACL

Hi,

when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways.

If i have applied this acl then is there any thing I have to do on server vlan

or

If there is an acl already on server vlan then will that allow access or some changes need to done

Re: VLAN ACL

***when i configure as said it is able to ping 10.10.10.0 but no pc is able to ping their gateways***

Yes you cannot ping their gateways because you have allowed only 10.10.10.0/24 network. You have to allow everything that you need more.

***If i have applied this acl then is there any thing I have to do on server vlan ***

It depend on the requirement. Now you do not need.

****or

If there is an acl already on server vlan then will that allow access or some changes need to done***

Yes, you need to allow vlan 5 & 10 subnets.

Note: If you only need to block traffic between vlan 5 & 10 then create the standard deny acl for vlan 5 and vlan 10 as mentioned in the Long Fan post.

Regards,

Anser

331
Views
0
Helpful
4
Replies