Request: How to allow VLAN1 (eg, Internal Network) access to VLAN10 (eg, CCTV Network & PCs), but VLAN10 unable to access VLAN1
Reply
Request: How to allow VLAN1 (eg, Internal Network) access to VLAN10 (eg, CCTV Network & PCs), but VLAN10 unable to access VLAN1
|
Hi, I would like to configure 1 way access for VLAN1 to VLAN10, but not allow VLAN10 to access to VLAN1. Please advise what configuration needed in console? Switch Model: Ruijie RG-CS83-24GT4XS (Layer 3 Switch) VLAN1 = 192.168.11.0 (Internal Network) VLAN10 (port 1) = 192.168.10.0 (CCTV Network & PCs) Port 1: VLAN10 - Access mode (DHCP Client:192.168.10.2) Port 9: VLAN1 - Access mode (DHCP Client: 192.168.11.2) permit VLAN1 (192.168.11.0) to access VLAN10 (192.168.10.0) deny VLAN10 (192.168.10.0) to access VLAN11 (192.168.11.0) I tried to configure script as below, but nothing work (even VLAN1 IP trying to ping VLAN10 IP from PC, it shows Request timed out. Remote Access attempt also failed) conf ter ip access-list extended vlan10 10 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 20 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 30 permit ip any any exit int g0/1 ip access-group vlan10 in end wr Thank you. From Jim |
|
Hello sir, plz try this one conf ter ip access-list extended vlan10 10 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 20 permit ip any any exit int g0/1 ip access-group vlan10 out end wr |
GTAC-Stella replied at 2024-3-22 11:51 Hi Stella, Thank for replying my post. I have followed your step but unfortunately it does not work as it should be. In your suggested configuration, I can manage to PING and Remote Access from VLAN1 to VLAN10, however the VLAN10 PC can both PING and Remote my Own PC as well... |
Jim Khor replied at 2024-3-22 12:11 Dear sir You can only block one-way ping via the followng commands: conf ter ip access-list extended vlan10 10 deny icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 echo -->deny the icmp echo packets from vlan10 to vlan11 traffic 20 permit ip any any exit Then you can apply the ACL list to the specific interface to test again. The above ACL list indicates that it only blocks icmp echo packets from vlan10 to vlan11, but icmp reply packets are not blocked. So only vlan11 can not access vlan10 network, but vlan10 can still access vlan11 network actively. Best regards Jenny |
俞佳敏1 replied at 2024-3-22 13:45 Dear Jenny, conf ter ip access-list extended vlan10 10 deny icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 echo -->deny the icmp echo packets from vlan10 to vlan11 traffic 20 permit ip any any exit Please advise what does the "but icmp reply packets are not blocked" mean? I configured your given settings, ECHO not working from VLAN10 to VLAN1, but VLAN10 PC can still able to Remote Access the PC from VLAN1. What command I need to get rid of it? Thanks. |
Jim Khor replied at 2024-3-22 16:49 ping packets are divided into icmp echo and icmp reply no 10 deny icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 echo > this for delete |
GTAC-Micca replied at 2024-3-22 19:42 Dear Micca, Noted & thanks |
This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.
More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.
©2000-2023 Ruijie Networks Co,Ltd
Level 1
