Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

deny a particular vlan

Hi,

i want to ONLY allow a particular vlan to access internet in company, it is not allow to access others LAN server. how can i do it?

I had try to apply a access-list for that particular vlan, but it's down.

Regards,

Samuel

23 REPLIES
Purple

Re: deny a particular vlan

HI Samuel,

If you are using a switch for inter-vlan routing, you can apply an access-list to that VLAN's interface as follows:

interface vlan 10

ip access-group 101 out

!

access-list 101 deny ip any

access-list 101 permit ip any any

That will deny access to the LAN on which the server sits but permit everything else.

Hope that helps...

Paresh

New Member

Re: deny a particular vlan

Hi Paresh,

a access-list had apply to the vlan, but the vlan is down.

Regards,

Samuel

Purple

Re: deny a particular vlan

Samuel,

What exactly do you mean when you say that the VLAN is down ?

Paresh

Hall of Fame Super Bronze

Re: deny a particular vlan

Can you post the SHOW VLAN output from the switch ?

Did you create a Layer2 VLAN ?

New Member

Re: deny a particular vlan

Here are show output.

=============================================

#sh run

....

!

interface VLAN77

ip access-group 100 out

no ip directed-broadcast

no ip route-cache

shutdown

!

..

=============================================

#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1

2 VLAN0002 active

10 VLAN007010 active

11 VLAN007011 active

12 VLAN007012 active

13 VLAN007013 active

15 VLAN007015 active

70 VLAN007070 active

71 VLAN007071 active

72 VLAN007072 active

73 VLAN007073 active

74 VLAN007074 active

75 VLAN007075 active

76 VLAN007076 active

77 VLAN007077 active Fa0/2, Fa0/4, Fa0/5, Fa0/6,

Fa0/7, Fa0/8, Fa0/9, Fa0/10,

Fa0/11, Fa0/12, Fa0/13, Fa0/14,

Fa0/16, Fa0/17, Fa0/18, Fa0/19,

Fa0/20, Fa0/21, Fa0/22, Fa0/23,

Fa0/24

78 VLAN007078 active

=============================================

#sh ip int brief

Interface IP-Address OK? Method Status Protocol

VLAN1 10.7.80.70 YES NVRAM up up

VLAN77 unassigned YES unset administratively down down

Re: deny a particular vlan

Hi,

what vlan is having problem?

i could see that vlan77 is there with out an ip address and an access list applied.

Also vlan 77 is shutdowned.

Is this the vlan you are concerned ?

Configure proper ip address for this vlan 77 and ensure that you issue a "no shut".

We couldn't see your access-list definition in this show run output.

If you have created that access-list, refer to Paresh post earlier, and ensure that you have properly configured the access-list, before applying it to the vlan interface.

-VJ

New Member

Re: deny a particular vlan

hi VJ,

The vlan 77 is still down.

Samuel

===============================================

(config)#int vlan 77

(config-subif)#ip add 10.7.77.200 255.255.255.0

(config-subif)#no shut

(config-subif)#

===============================================

#sh run

!

interface VLAN77

ip address 10.7.77.200 255.255.255.0

ip access-group 2 out

no ip directed-broadcast

no ip route-cache

shutdown

!

===============================================

#sh ip int brie

Interface IP-Address OK? Method Status Protocol

VLAN1 10.7.80.70 YES NVRAM up up

VLAN77 10.7.77.200 YES manual administratively down down

===============================================

#sh vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 254

Number of existing VLANs : 30

VTP Operating Mode : Transparent

VTP Domain Name : TKST

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x2A 0x64 0xDC 0x0A 0x06 0x7B 0xB7 0x46

Configuration last modified by 10.7.80.11 at 3-15-05 15:08:25

#

===============================================

Re: deny a particular vlan

Hi,

This looks strange...

Even though you had issued a "no shut" i could still see the "shutdown" statement under the vlan77's configuration in the show run.

Try this.

1) Issue "no shutdown" ( instead of "no shut") under interface vlan77 and see whether vlan 77 comes up in the show vlan statement.

If not

2) remove vlan 77 from the configuration by issuing "no interface vlan77" and recreate it.

Let us know the result.

-VJ

Re: deny a particular vlan

Hello,

is this switch a standalone switch, or is it part of the TKST domain ? Make sure the switch is either in VTP client or server mode (it is in transparent mode now), otherwise the VLAN's configured in your domain will not work on that switch...

Regards,

GNT

New Member

Re: deny a particular vlan

Hi VJ,

point 1 is tried, but it's same result.

point 2, since it's a access layer switch, if I recreate it, it will affect others users.

Hi GNT,

it is part of tkst domain. I change it to vtp mode client. but the problem is still occurred.

Samuel

Re: deny a particular vlan

Hi,

Thanks for the update.

As this vlan is in shutdown state, removing it and recreate shouldn't affect.

No problem.

As the previous poster stated, correct the VTP configuration in this switch.

If you want this switch to be a VTP client, then vlan definitions will be done only in the vtp master switch.

If you have already place this switch as VTP client in the domain, then issue the "show vlan" and check the status of vlan 77.

Go to the VTP master switch and check whether that vlan is shutdowned there.

-VJ

New Member

Re: deny a particular vlan

Hi VJ,

in the core switch (Catalyst 5509), vlan 77 is active.

==========================

in Core switch out put

> sh vlan 77

VLAN Name Status IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- ------------------------

77 VLAN007077 active 140 2/1

7/2-6

9/2-5

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

77 enet 100077 1500 - - - - - 0 0

VLAN AREHops STEHops Backup CRF

---- ------- ------- ----------

==============================================

thanks!

Samuel

Hall of Fame Super Bronze

Re: deny a particular vlan

I believe the reason VLAN77 remains in shutdown state is due to having a layer2 switch at the access layer. Only one SVI (Switch Virtual Interface) is allowed to be up/up while you can have multiple VLANs on the VLAN DB.

If you want to control layer3 traffic, you need to employ the required ACLs at the layer3 device, not the access layer device.

Let's concentrate on the device performing the routing in your network. You can find out what device this is by looking at the default gateway information on the worktation.

Post the config from that device here (masking IP addresses as necessary).

Please rate helpful posts.

Thanks

New Member

Re: deny a particular vlan

Hi EdisonOrtiz,

the access layer is connected to a 5509 core switch. which show output do you need?

Thanks!

Samuel

Hall of Fame Super Bronze

Re: deny a particular vlan

As per my post, we need to see the layer3 device information (your router).

Can you post a diagram from your network so we can have an idea ?

To recap, and please correct me if I'm wrong, you have an access layer switch (please provide the model). The switch has only one SVI (VLAN 1) with IP 10.7.80.70.

You want to manipulate traffic for VLAN 77 (10.7.77.200) but you can't control layer3 traffic on a layer2 device.

Are the devices on 10.7.77.x subnet able to connect anywhere now ? If so, issue the 'ipconfig' on the workstation and telnet to the device listed as the default gateway. That device is responsible for that network not your access layer switch.

New Member

Re: deny a particular vlan

Hi EdisonOrtiz,

it is a catalyst 2924XL.

the diagram :

Catalyst 5509 Switch (also has layer 3 routing) which connected to access layer switch, win2003 server (many, such as DHCP, internet router, core router....etc). all connected to 5509.

yes, 10.7.77.X can connect to anywhere.

ok, I'll try to telnet the default gateway tomorrow when in office. I got some idea.

Thanks!

Samuel

New Member

Re: deny a particular vlan

it is to browse web site (internet) thru proxy server. The proxy server also connected to 5509 switch. I also want that PC which connected to access laywer switch (vlan 77) are able to got an IP address from DHCP server automatically.

Do you have any good idea to apply the access list?

Thanks!

Samuel

Hall of Fame Super Bronze

Re: deny a particular vlan

For workstations to obtain a dynamic IP, you need to configure ip helper on the 5509 Core switch VLAN77.

By posting the config, I should be able to tell you where to place it.

As far as the internet, you can either configure policy based routing or plain access-lists.

So basically, you only want VLAN77 to connect to the internet and nothing else in your network ?

Hall of Fame Super Bronze

Re: deny a particular vlan

Ok, let's see the 'sh run' from the 5509 layer3 engine.

Thanks.

New Member

Re: deny a particular vlan

sorry, i can't post all sh run.

yes, only allow vlan77 to connect to internet and nothing else in my network.

Is it just apply a plain access-list in interface vlan77? right?

===========================================

partial of sh run..

!

interface Vlan77

ip address 10.7.77.2 255.255.255.0

ip helper-address 10.7.11.58

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip route-cache cef

mls rp vtp-domain EATW

mls rp ip

standby priority 110

standby preempt

standby ip 10.7.77.1

!

===========================================

Hall of Fame Super Bronze

Re: deny a particular vlan

You would need to create an ip access group under VLAN77 with the following command:

interface vlan 77

ip access-group 101 out

And create the access list to block traffic sourcing from 10.7.77.0 /24 to other subnets in your network while permitting internet traffic

access-list 101 deny ip 10.7.77.0 0.0.0.255 10.7.80.0 0.0.0.255

access-list 101 permit ip any any

You can replace 10.7.8.0 /24 with additional subnets as you wish.

Please rate helpful posts.

Thanks

New Member

Re: deny a particular vlan

Hi EdisonOrtiz,

I just want allow vlan 75 access to internet and get ip address from dhcp server, others traffic will be blocked.

my network topology is all switches are connected to 2 core 5509 core switches which are using HSRP.

when i apply those filters, the pc in vlan 75 which all traficc still allow. what's step I missed? please help.

------------------------------------------------------------------

core1_rs#sh run int vlan 75

Building configuration...

Current configuration:

!

interface Vlan75

ip address 10.7.75.2 255.255.255.0

ip helper-address 10.7.11.58

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip route-cache cef

ip policy route-map mtg_room

mls rp vtp-domain APP

mls rp ip

standby priority 110

standby preempt

standby ip 10.7.75.1

end

------------------------------------------------------------------

core1_rs#sh route-map mtg_room

route-map mtg_room, permit, sequence 10

Match clauses:

ip address (access-lists): 150

Set clauses:

Policy routing matches: 11 packets, 5102 bytes

route-map mtg_room, permit, sequence 20

Match clauses:

ip address (access-lists): 160

Set clauses:

ip next-hop 10.7.11.43

Policy routing matches: 8 packets, 496 bytes

route-map mtg_room, deny, sequence 30

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

core1_rs#

------------------------------------------------------------------

core1_rs#sh access-lists 150

Extended IP access list 150

permit udp any any eq bootps (7 matches)

permit udp any any eq bootpc

core1_rs#sh access-lists 160

Extended IP access list 160

permit tcp any any eq www (8 matches)

core1_rs#

===========================================================================

===========================================================================

core2_rs#sh run int vlan 75

Building configuration...

Current configuration:

!

interface Vlan75

ip address 10.7.75.3 255.255.255.0

ip helper-address 10.7.11.58

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip route-cache cef

ip policy route-map mtg_room

mls rp vtp-domain APP

mls rp ip

standby ip 10.7.75.1

end

------------------------------------------------------------------

core2_rs#sh route-map mtg_room

route-map mtg_room, permit, sequence 10

Match clauses:

ip address (access-lists): 150

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map mtg_room, permit, sequence 20

Match clauses:

ip address (access-lists): 160

Set clauses:

ip next-hop 10.7.11.43

Policy routing matches: 0 packets, 0 bytes

route-map mtg_room, deny, sequence 30

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

core2_rs#

------------------------------------------------------------------

core2_rs#sh access-list 150

Extended IP access list 150

permit udp any any eq bootps (1 match)

permit udp any any eq bootpc (1 match)

core2_rs#sh access-list 160

Extended IP access list 160

permit tcp any any eq www

core2_rs#

------------------------------------------------------------------

Regards,

Samuel

New Member

Re: deny a particular vlan

Private VLANs were invented exactly for such purposes.

170
Views
16
Helpful
23
Replies