i have a case here, i have two vlans, one is vlan 10, 192.168.10.0/24. another is vlan 100, 192.168.100.0/24.
i design to block vlan 10 to talk to vlan 100 but allow vlan 100 to reach vlan 10.
how can i achieve this?
i tried access list, but didn't work.
ip access-list extended Block_Vlan10
deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip any any
int vlan 10
ip access-group Block_Vlan10 in
the problem with this access list is the return traffic was also blocked when vlan 100 initiated the connection.
Look at below thread to solve your problem.
Check to see if your equipment supports reflexive access lists. Here is an example. Please let us know if this does not resolve the issue.
please mark helpful posts.
What kind of traffic is being initiated from vlan 100 to vlan 10? What protocols? (IP, ICMP, UDP, TCP?) And any specific traffic types involved? (HTTP, TFTP, FTP, DHCP, SSH, Telnet, etc?)
Are you wanting end result to completely allow all traffic from vlan 100 to vlan 10, but deny all IP traffic (except return traffic from an initiated vlan 100 connection) from vlan 10 to vlan 100?