ACL applying over VLAN

  • 0
  • 1
  • Problem
  • Updated 2 months ago
  • Solved
We have three VLAN's all are inter-VLAN routing.
VLAN-1= 10.3.1.0
VLAN-2= 10.3.2.0
VLAN-3= 10.3.5.0
My boss wants to VLAN-2 and 3 should not communicate with VLAN-1, so that's we implement a policy to disable traffic forwarding to VLAN-1.

After applying this policy over VLAN-1 in ingress direction, VLAN-2 and VLAN-3 is not communicating.

I want VLAN-2 and VLAN-3 Should communicate each other.
Photo of Alok Shukla

Alok Shukla

  • 834 Points 500 badge 2x thumb

Posted 2 months ago

  • 0
  • 1
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 4,888 Points 4k badge 2x thumb
Easier option would be to disable ip forwarding for vlan 1
Photo of Immo Wetzel

Immo Wetzel

  • 110 Points 100 badge 2x thumb
usually vlans are used to separate traffic. So from pure switching point and no bad cable based vlan translations they dont see each other.
May be you implemented some routing. if so follow the proposal from alok.
Photo of Alok Shukla

Alok Shukla

  • 834 Points 500 badge 2x thumb
I don't want to disable ipforwarding of vlan-1
Photo of Immo Wetzel

Immo Wetzel

  • 110 Points 100 badge 2x thumb
if vlan 1 should not communicate with vlan 2 what are you doing with ip forwarding ?
switching will be done anyway or do you talk about an additional uplink ?
Photo of Alok Shukla

Alok Shukla

  • 834 Points 500 badge 2x thumb
as VLAN-1 is used for uplink, but VLAN-2 and VLAN-3 users should communicate.
Photo of Immo Wetzel

Immo Wetzel

  • 110 Points 100 badge 2x thumb
dont get you. if vlan 2 and vlan 3 should be able to use the uplink. but the uplink connected hosts should not reach vlan 2 and 3 you need a firewall.
if vlan2 and vlan 3 should not reach the uplink just disable ipforwarding for vlan 1 cos there is no need for.
Photo of Jarek

Jarek

  • 2,388 Points 2k badge 2x thumb
Hi,

you have:

- VLAN-1= 10.3.1.0/24 
- VLAN-2= 10.3.2.0/24
- VLAN-3= 10.3.5.0/24

and you want to block traffic from VLAN-2 to VLAN-1
then you should apply ACL on VLAN-2 on ingress like bellow:

entry V1_block { if match all {
destination-address 10.3.1.0/24;
} then {
count traffic_to_v1;
deny;
}}

Similar example will be for VLAN-3.

--
Jarek
(Edited)