07-17-2020 02:39 PM
I have a router-on-a-stick that is connected to a switch to 3 workstations that are one connected to VLAN 2 & VLAN 3. 2 workstations are connected to VLAN2 while the other one is connected to VLAN3. Now the problem is that i need to deny network traffic frm workstations that are connected on VLAN2 to VLAN3. But i cant seem to do that even tho i tried using standard ACL or extended ACL. Any1 can help??
02-09-2021 02:34 AM - edited 02-09-2021 02:44 AM
03-25-2022 03:57 PM
Hello,
make sure your config looks like this:
Router
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
interface GigabitEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.2.1 255.255.255.0
ip access-group 101 in
!
interface GigabitEthernet0/0.3
encapsulation dot1q 3
ip address 192.168.3.1 255.255.255.0
03-26-2022 12:12 PM
Hello
Please see example below which will negate traffic originating from within the vlan towards either vlan:
Ip access-list extended vlan2
remark no vlan3
deny ip any 10.0.3.0 0.0.0.255
permit ip any any
Ip access-list extended vlan3
remark no vlan2
deny ip any 10.0.2.0 0.0.0.255
permit ip any any
interface GigabitEthernet0/0.2
encapsulation dot1q 2
ip address 10.0.2.254 255.255.255.0
ip access-group vlan2 in
interface GigabitEthernet0/0.3
encapsulation dot1q 3
ip address 10.0.3.254 255.255.255.0
ip access-group vlan3 in
03-27-2022 04:14 PM
BTW, what @Georg Pauwen and @paul driver posted should be similar to what you need, in fact, your router is using a .Q trunk, and subinterfaces, and VLANs 2 and 3 are tagged. Is that how you're configured?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: