Hello,
I have some troubles to implement extended ACL between VLAN. I would like to control the traffic and so only permit allowed traffic.
I am starting from a simple configuration with 2 VLAN :
- VLAN 10 : 192.168.10.0/24
- VLAN 20 : 192.168.20.0/24
I would like :
- all members of VLAN 10 to access to host 192.168.20.21 on port 22
- all members of VLAN 20 to access to host 192.168.10.11 on port 80
First of all, I have created two access-list :
ip access-list extended "vlan10-in"
10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.21 0.0.0.0 eq 22
ip access-list extended "vlan20-in"
10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.11 0.0.0.0 eq 80
Then I've applied the first access-list to the VLAN 10 :
vlan 10
name "vlan10"
untagged 1
ip access-group "vlan10-in" in
ip address 192.168.10.1 255.255.255.0
At this step it works, I can access 192.168.20.21 on port 22 but not on any other port
Then, I've done the same thing for VLAN 20 :
vlan 20
name "vlan20"
untagged 2
ip access-group "vlan20-in" in
ip address 192.168.20.1 255.255.255.0
And then, nothing works...
I suppose that I does'nt work because of the implicit deny on each access-list which block each other.
I tried to add two new access-list and to modify vlan to only filter on inbound packet :
ip access-list extended "vlan10-out"
10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ip access-list extended "vlan20-out"
10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
vlan 10
name "vlan10"
untagged 1
ip access-group "vlan10-in" in
ip access-group "vlan10-out" out
ip address 192.168.10.1 255.255.255.0
vlan 20
name "vlan20"
untagged 2
ip access-group "vlan20-in" in
ip access-group "vlan20-out" out
ip address 192.168.20.1 255.255.255.0
But it does'nt work better...
If someone have some ideas it would be great !
Thank you very much,
Thierry.
#ExtendedACL#VLAN