Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ACL+VLAN Interfaces

ACL+VLAN Interfaces 8 years 8 months ago #25389

I have 3 VLAN, VLAN10 - 192.168.10.0/24, VLAN20 - 192.168.20.0/24, VLAN30 - 192.168.30.0/24
I configured VLAN interface IP for all VLAN's with Inter VLAN Routing
VLAN10 - 192.168.10.1/24
VLAN20 - 192.168.20.1/24
VLAN30 - 192.168.30.1/24
Can anyone provide configuration for the folowing requirements
1. To deny traffic coming from VLAN10 to VLAN20 but allow traffic coming from VLAN20 to VLAN10
2. To Allow only http traffic from VLAN10 and VLAN20 to VLAN30
3. Allow access to this specific Host 192.168.30.100 to any host in VLAN10, VLAN20
4. I have a DHCP configured on the 6500 for the 3 VLAN's, All hosts in their respective networks should get their IP address from the DHCP server.( Basically DHCP server communication should not be blocked)
Thank you in advance.


I applied the acl to vlan20 interface(ip access-group aclno: in) , When I ping from 192.168.10.2 to 192.168.20.0 , i get request timed out. But When I ping from 192.168.20.0 to 192.168.10.0, I get dest net unreachable where I should be getting replies. Why I am not able to ping from 20.0 to 10.0. ?
The administrator has disabled public write access.

Re: ACL+VLAN Interfaces 8 years 8 months ago #25421

  • havohej
  • havohej's Avatar
  • Offline
  • Distinguished Member
  • Posts: 152
  • Karma: 0
Here goes:


int VLAN10
ip add 192.168.10.1 255.255.255.0
ip access-group FROMVLAN10-TO-VLAN20&30 in

int VLAN20
ip add 192.168.20.1 255.255.255.0
ip access-group FROMVLAN20-TO-VLAN10&30 in


int VLAN30
ip add 192.168.30.1 255.255.255.0
ip access-group FROMVLAN30-TO-VLAN10&20 in


ip access-list extended FROMVLAN10-TO-VLAN20&30
evaulate REFLEX-ACL
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 80
permit ip 192.168.10.0 0.0.0.255 host 192.168.30.100
permit udp 192.168.10.0 any eq bootpc
permit udp 192.168.10.0 any eq bootps
permit ip 192.168.10.0 0.0.0.255 host 192.168.10.1


ip access-list extended FROMVLAN20-TO-VLAN10&30
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 reflect REFLEX-ACL
permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 80
permit ip 192.168.20.0 0.0.0.255 host 192.168.30.100
permit udp 192.168.20.0 any eq bootpc
permit udp 192.168.20.0 any eq bootps
permit ip 192.168.20.0 0.0.0.255 host 192.168.20.1

ip access-list extended FROMVLAN30-TO-VLAN10&20
permit tcp 192.168.30.0 0.0.0.255 eq 80 192.168.10.0 0.0.0.255
permit ip host 192.168.30.100 192.168.10.0 0.0.0.255
permit tcp 192.168.30.0 0.0.0.255 eq 80 192.168.20.0 0.0.0.255
permit ip host 192.168.30.100 192.168.20.0 0.0.0.255
permit udp 192.168.30.0 any eq bootpc
permit udp 192.168.30.0 any eq bootps
permit ip 192.168.30.0 0.0.0.255 host 192.168.30.1



You are getting blocked while applying the acl?? Maybe you are sourcing your telnet connection to the switch from a pc in the Vlan 20. So to not Get Blocked again you must permit the TELNET TRAFFIC sourced from your pc to the switch so you Not get blocked again, you must add an entry like this one:

ip access-list extended FROMVLAN20-TO-VLAN10&30
200 permit ip host x.x.x.x 192.168.20.1 eq telnet

where x.x.x.x is your pc ip address (located in vlan 20 I suppose!)


I added also an extra permit statement to each acl so all hosts within each subnet can talk with the vlan ip address of the switch belonging to the same subnet where the host are connected. dont know if the switch is the default gateway or not.


I recommend you pasting this configs in a lab and test it with all your polithics mentioned before enabling this in the production switch.
The administrator has disabled public write access.

Re: ACL+VLAN Interfaces 8 years 8 months ago #25442

Thank you for replying,

I applied the acl to vlan20 interface(ip access-group aclno: in) , When I ping from 192.168.10.2 to 192.168.20.0 , i get request timed out. But When I ping from 192.168.20.0 to 192.168.10.0, I get dest net unreachable where I should be getting replies. Why I am not able to ping from 20.0 to 10.0. ?
The administrator has disabled public write access.
Time to create page: 0.075 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup