dont have any actual acl running just to see if it will work as i think it will
also my main focus is not necessary on best practice but convenience for me
and of course that it works as intended
here what i come up with
SWITCH L3
interface Vlan10
ip address 10.0.10.2 255.255.255.0
ip access-group gateAccess in
interface Vlan20
ip address 10.0.20.2 255.255.255.0
ip access-group gateAccess in
interface Vlan30
ip address 10.0.30.2 255.255.255.0
ip access-group gateAccess in
interface GigabitEthernet0/0/1
description vlan 10
switchport access vlan 10
switchport mode access
interface GigabitEthernet0/0/2
description vlan 20
switchport access vlan 20
switchport mode access
interface GigabitEthernet0/0/3
description vlan 30
switchport access vlan 30
switchport mode access
interface GigabitEthernet0/0/4
description Trunk
switchport trunk allowed vlan 10,20,30
switchport mode trunk
ip access-list extended gateAccess
permit tcp any any established
permit ip 10.0.10.10 0.0.0.0 any
deny ip any 10.0.10.2 0.0.0.0
deny ip any 10.0.20.2 0.0.0.0
deny ip any 10.0.30.2 0.0.0.0
permit ip any any
ROUTER
interface Vlan10
ip address 10.0.10.1 255.255.255.0
ip access-group gateAccess in
interface Vlan20
ip address 10.0.20.1 255.255.255.0
ip access-group gateAccess in
interface Vlan30
ip address 10.0.30.1 255.255.255.0
ip access-group gateAccess in
interface GigabitEthernet0/0/1
description Trunk
switchport trunk allowed vlan 10,20,30
switchport mode trunk
ip access-list extended gateAccess
permit tcp any any established
permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
deny ip 10.0.20.0 0.0.0.255 any
deny ip any 10.0.10.0 0.0.0.255
permit any any
3 pc's connected to the switch
the switch connected to the router
do i see this correct that a pc on
vlan 10
can ping : pcs on vlan 20, 30
vlan 20
can ping : pcs on vlan 30
vlan 30
can ping : pcs on vlan 20, 30
AND
a pc on vlan 10 setting its gateway to 10.0.10.2 and ip 10.0.10.10 has no restrictions at all
other pc trying to set 10.0.x.2 as gateway wont work and cant circumvent this some how
