Ruijie Community

Title: Request: How to allow VLAN1 (eg, Internal Network) access to VLAN10 (eg, CCTV Network & PCs), but VLAN10 unable to access VLAN1 [Print this page]

Author: it@peacepack.co Time: 2024-3-22 11:13
Title: Request: How to allow VLAN1 (eg, Internal Network) access to VLAN10 (eg, CCTV Network & PCs), but VLAN10 unable to access VLAN1
Hi, I would like to configure 1 way access for VLAN1 to VLAN10, but not allow VLAN10 to access to VLAN1.
Please advise what configuration needed in console?

Switch Model: Ruijie RG-CS83-24GT4XS (Layer 3 Switch)

VLAN1 = 192.168.11.0 (Internal Network)
VLAN10 (port 1) = 192.168.10.0 (CCTV Network & PCs)

Port 1: VLAN10 - Access mode (DHCP Client:192.168.10.2)
Port 9: VLAN1 - Access mode (DHCP Client: 192.168.11.2)

permit VLAN1 (192.168.11.0) to access VLAN10 (192.168.10.0)
deny VLAN10 (192.168.10.0) to access VLAN11 (192.168.11.0)

I tried to configure script as below, but nothing work (even VLAN1 IP trying to ping VLAN10 IP from PC, it shows Request timed out. Remote Access attempt also failed)

conf ter
ip access-list extended vlan10
10 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
30 permit ip any any
exit

int g0/1
ip access-group vlan10 in
end
wr

Thank you.

From Jim

Author: yangyue1@ruijie Time: 2024-3-22 11:51
Hello sir, plz try this one
conf ter
ip access-list extended vlan10
10 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
20 permit ip any any
exit
int g0/1
ip access-group vlan10 out
end
wr

Author: it@peacepack.co Time: 2024-3-22 12:11

GTAC-Stella replied at 2024-3-22 11:51
Hello sir, plz try this one
conf ter
ip access-list extended vlan10

Hi Stella,

Thank for replying my post.

I have followed your step but unfortunately it does not work as it should be.
In your suggested configuration, I can manage to PING and Remote Access from VLAN1 to VLAN10,
however the VLAN10 PC can both PING and Remote my Own PC as well...

Author: yujiamin1@ruiji Time: 2024-3-22 13:45

Jim Khor replied at 2024-3-22 12:11
Hi Stella,

Thank for replying my post.

Dear sir

You can only block one-way ping via the followng commands:
conf ter
ip access-list extended vlan10
10 deny icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 echo -->deny the icmp echo packets from vlan10 to vlan11 traffic

20 permit ip any any
exit
Then you can apply the ACL list to the specific interface to test again. The above ACL list indicates that it only blocks icmp echo packets from vlan10 to vlan11, but icmp reply packets are not blocked. So only vlan11 can not access vlan10 network, but vlan10 can still access vlan11 network actively.

Best regards
Jenny

Author: it@peacepack.co Time: 2024-3-22 16:49

俞佳敏1 replied at 2024-3-22 13:45
Dear sir

You can only block one-way ping via the followng commands:

Dear Jenny,

conf ter

ip access-list extended vlan10

10 deny icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 echo -->deny the icmp echo packets from vlan10 to vlan11 traffic

20 permit ip any any

exit

Please advise what does the "but icmp reply packets are not blocked" mean?

I configured your given settings, ECHO not working from VLAN10 to VLAN1, but VLAN10 PC can still able to Remote Access the PC from VLAN1.
What command I need to get rid of it?
Thanks.

Author: guominxiang@rui Time: 2024-3-22 19:42

Jim Khor replied at 2024-3-22 16:49
Dear Jenny,

conf ter

ping packets are divided into icmp echo and icmp reply

no 10 deny icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 echo > this for delete

Author: it@peacepack.co Time: 2024-4-7 18:47

GTAC-Micca replied at 2024-3-22 19:42
ping packets are divided into icmp echo and icmp reply

no 10 deny icmp 192.168.10.0 0.0.0.255 192 ...

Dear Micca,

Noted & thanks

Welcome to Ruijie Community (https://community.ruijienetworks.com/)