ACL for applying over VLAN


Userlevel 1
We have 4 VLAN over Core Switch (MLAG configured)
VLAN 1: 10.3.1.0
VLAN 2: 10.3.2.0
VLAN 3: 10.3.3.0
VLAN 4: 10.3.4.0

we don't want VLAN-3 and VLAN-2 to communicate with VLAN-1.
But VLAN-2 and VLAN-3 should communicate each other.
Help to apply me what ACL should be applying?

7 replies

Userlevel 3
The most straightforward way to do is using VRF.
Userlevel 1
Hi alok,

You can deny the traffic for VLAN 1 from VLAN 2 & VLAN 3.

entry Vlan_2 {
if match all {
source-address 10.3.2.0/24;
Destination-Address 10.3.1.0/24;
}
then {
count Corp_Vlan_2 ;
deny ;
}
}
entry Vlan_3 {
if match all {
source-address 10.3.3.0/24;
Destination-Address 10.3.1.0/24;
}
then {
count Corp_Vlan_Traffic2 ;
deny ;
}
Userlevel 1
Aman wrote:

Hi alok,

You can deny the traffic for VLAN 1 from VLAN 2 & VLAN 3.

entry Vlan_2 {
if match all {
source-address 10.3.2.0/24;
Destination-Address 10.3.1.0/24;
}
then {
count Corp_Vlan_2 ;
deny ;
}
}
entry Vlan_3 {
if match all {
source-address 10.3.3.0/24;
Destination-Address 10.3.1.0/24;
}
then {
count Corp_Vlan_Traffic2 ;
deny ;
}

Thanks Aman
this ACL is applied on ingress direction
Userlevel 1
It's not working, still pinging both VLAN
Userlevel 1
Alok Shukla wrote:

It's not working, still pinging both VLAN

did you apply on the Ingress direction?
Userlevel 1
Alok Shukla wrote:

It's not working, still pinging both VLAN

** count Corp_Vlan_3 in last statement.
I also doing first time so it could be wrong , but it should work.
Userlevel 1
Alok Shukla wrote:

It's not working, still pinging both VLAN

yes, we had applied on ingress direction but still, both VLAN can ping each other.

Note If an ACL needs to be installed for traffic that is L3 routed, and the ingress/egress ports are on different packet-processing units or different slots, and any of the following features are enabled, we recommend that you install the policy on a per-port basis rather than applying it as a wildcard, or VLAN-based ACL. • MLAG (Multi-switch Link Aggregation Group) • PVLAN • Multiport-FDB (forwarding database)

Reply