ACL sample

Hi guys,

Need your help in configuring this ACL.

VLAN 10 can access all VLAN
VLAN 20 can access VLAN 10
VLAN 30 can access VLAN 10

all other VLAN cannot access any VLAN just internet.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

TheNewITGuy

Well given the subnets are say:

VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 30: 192.168.30.0/24

access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip <other vlan> 192.168.0.0 0.0.7.255
access-list 100 permit ip <other vlan> any
access-list 100 deny ip any any

Zartanasaurus

olihc wrote: »

Hi guys,

Need your help in configuring this ACL.

VLAN 10 can access all VLAN
VLAN 20 can access VLAN 10
VLAN 30 can access VLAN 10

all other VLAN cannot access any VLAN just internet.

You should at least show what you've tried up to this point before you ask strangers on the internet to do your homework.

theodoxa

Assuming that all the VLANs are trunked to a single router that performs Inter-VLAN Routing.

Router(config)#ip access-list extended VLACL
Router(config-nacl)#permit ip <VLAN 10 Subnet ID> <VLAN 10 Wildcard Mask> any
Router(config-nacl)#permit ip <VLAN 20 Subnet ID> <VLAN 20 Wildcard Mask> <VLAN 10 Subnet ID> <VLAN 10 Wildcard Mask>
Router(config-nacl)#permit ip <VLAN 30 Subnet ID> <VLAN 30 Wildcard Mask> <VLAN 10 Subnet ID> <VLAN 10 Wildcard Mask>
Router(config-nacl)#exit
Router(config)#int Fa0/0.10
Router(config-subif)#ip access-group VLACL in
Router(config-subif)#int Fa0/0.20
Router(config-subif)#ip access-group VLACL in
Router(config-subif)#int Fa0/0.30
Router(config-subif)#ip access-group VLACL in

Additionaly, if VLAN 20 and VLAN 30 are contiguous, you might be able to summarize them into a single entry by simply adjusting the wildcard mask. Now, if someone here who knows could answer this question, could he put the ACL on the physical interface [to apply to all subinterfaces] or would he have to apply it to each of the three subinterfaces?

TheNewITGuy

you forgot the access to the internet.

olihc

haven't tried anything because it's now in production, the only time I can try this is on weekends.

Zartanasaurus wrote: »

You should at least show what you've tried up to this point before you ask strangers on the internet to do your homework.

theodoxa

TheNewITGuy wrote: »

you forgot the access to the internet.

Didn't even notice that.

Router(config-nacl)#deny ip <OTHER VLANS SUBNET ID> <OTHER VLANS WILDCARD MASK> <ALL VLANS SUBNET ID> <ALL VLANS WILDCARD MASK>
Router(config-nacl)#permit ip <OTHER VLANS SUBNET ID> <OTHER VLANS WILDCARD MASK> any