ACL for applying over VLAN

  • 0
  • 2
  • Question
  • Updated 8 months ago
  • Answered
We have 4 VLAN over Core Switch (MLAG configured)
VLAN 1: 10.3.1.0
VLAN 2: 10.3.2.0
VLAN 3: 10.3.3.0
VLAN 4: 10.3.4.0

we don't want VLAN-3 and VLAN-2 to communicate with VLAN-1.
But VLAN-2 and VLAN-3 should communicate each other.
Help to apply me what ACL should be applying?
Photo of Alok Shukla

Alok Shukla

  • 944 Points 500 badge 2x thumb

Posted 8 months ago

  • 0
  • 2
Photo of Mel78, CISSP, ECE

Mel78, CISSP, ECE

  • 1,044 Points 1k badge 2x thumb
The most straightforward way to do is using VRF.
Photo of Aman Choubey

Aman Choubey

  • 754 Points 500 badge 2x thumb
Hi alok,

You can deny the traffic for VLAN 1 from VLAN 2 & VLAN 3.

entry Vlan_2 {
if match all {
    source-address 10.3.2.0/24;
    Destination-Address 10.3.1.0/24;
}
then {
    count Corp_Vlan_2 ;
    deny  ;
}
}
entry Vlan_3 {
if match all {
    source-address 10.3.3.0/24;
    Destination-Address 10.3.1.0/24;
}
then {
    count Corp_Vlan_Traffic2 ;
    deny  ;
}
Photo of Alok Shukla

Alok Shukla

  • 944 Points 500 badge 2x thumb
Thanks Aman
this ACL is applied on ingress direction
Photo of Alok Shukla

Alok Shukla

  • 944 Points 500 badge 2x thumb
It's not working, still pinging both VLAN
Photo of Aman Choubey

Aman Choubey

  • 754 Points 500 badge 2x thumb
did you apply on the Ingress direction?
Photo of Aman Choubey

Aman Choubey

  • 754 Points 500 badge 2x thumb
** count Corp_Vlan_3 in last statement.
I also doing first time so it could be wrong , but it should work.
(Edited)
Photo of Alok Shukla

Alok Shukla

  • 944 Points 500 badge 2x thumb
yes, we had applied on ingress direction but still, both VLAN can ping each other. 

Note If an ACL needs to be installed for traffic that is L3 routed, and the ingress/egress ports are on different packet-processing units or different slots, and any of the following features are enabled, we recommend that you install the policy on a per-port basis rather than applying it as a wildcard, or VLAN-based ACL. • MLAG (Multi-switch Link Aggregation Group) • PVLAN • Multiport-FDB (forwarding database)
(Edited)