cancel
Showing results for 
Search instead for 
Did you mean: 

ACLs For 5406zl

 
SOLVED
Go to solution
ProCurver
Occasional Collector

ACLs For 5406zl

I have a network with one 5406zl switch and about 20 2520 switches.

 

So many VLANs were configured on the network, one of them VLAN 15 (10.15.0.0/16) and another one is VLAN 70 (10.70.0.0/16)

 

I have been asked to enable the communication between one host on VLAN 15 (10.15.0.1) and one host on VLAN 70 (10.70.0.5) only, and prevent any other communication between these two VLANs and any other VLANs.

 

since I'm new with the whole ACL concept, I have been trying but i couldn't find the right way to do it.

 

Could I do it on this network ?

 

and HOW !!

 

Thanks in advance

 

 

4 REPLIES
Peter_Debruyne
Honored Contributor
Solution

Re: ACLs For 5406zl

Hi,

 

1/ define ACLs in global config

ip access-list extended acl-v0015-in

 # allow traffic between 2 hosts
 permit ip host 10.15.0.1 host 10.70.0.5
 # no more commands required, last (implicit rule) is to drop all other traffic


ip access-list extended acl-v0070-in
 permit ip host 10.70.0.5 host 10.15.0.1

 

2/ Link the ACLs to the routed VLAN interfaces on the Core, these apply to the INBOUND direction from the core point of view:


vlan 15
 ip access-group acl-v0015-in in
vlan 70
 ip access-group acl-v0070-in in

 

That should be it,

 

Best regards,Peter

ProCurver
Occasional Collector

Re: ACLs For 5406zl

Dear Peter;

 

but in this case i'll prevent any traffic between hosts in the same VLAN ,, right ?

 

how would i allow the communication between the hosts in vlan 70 ??

 

thanx in advance .. :-)

Peter_Debruyne
Honored Contributor

Re: ACLs For 5406zl

Hi,

 

No, the provided configuration will only block traffic between vlans (routed traffic), not the traffic inside the vlan (switched traffic).

So the hosts inside v70 will be able to connect to each other, and the hosts inside the other vlan can also connect to each other, only traffic between the vlans is filtered by the acl.

 

If you do want to filter the switched traffic, you have to use this command:

vlan x

 ip access-group acl-name  vlan

 

The vlan keyword means the acl is applied to the switched traffic (host to host inside this vlan)

 

Best regards,Peter

 

 

ProCurver
Occasional Collector

Re: ACLs For 5406zl

Thank you peter :-)

 

it worked fine :)