Hi I would like some insight on constructing an access list that prevents all the other ip ranges in Vlans 17-23 from entering Vlan 18 (192.168.18.0 /24) but that allows Vlan 18 to reach all other VLans and services. I'm not too familiar with applying ACLS to Vlans on a routed switch. Any info will be helpful.
Below is a copy of the current configuration and an ACL that is applied to VLAN 20
interface Vlan1
no ip address
shutdown
!
interface Vlan17
description MGMT
ip address 192.168.17.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan18
description FAMILY
ip address 192.168.18.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan19
description AV
ip address 192.168.19.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan20
description GUEST
ip address 192.168.20.1 255.255.255.0
ip access-group GUESTACL in
no ip redirects
no ip proxy-arp
!
interface Vlan21
description SECURITY
ip address 192.168.21.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan22
description SECURITY2
ip address 192.168.22.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan23
description STAFF
ip address 192.168.23.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
router rip
version 2
passive-interface default
no passive-interface Vlan17
network 192.168.17.0
network 192.168.18.0
network 192.168.19.0
network 192.168.20.0
network 192.168.21.0
network 192.168.22.0
network 192.168.23.0
no auto-summary
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.17.2 name DEFAULT
!
ip access-list extended AV_NETWORK
permit ip any 192.168.19.0 0.0.0.255
permit ip 192.168.19.0 0.0.0.255 any
ip access-list extended GUESTACL
permit udp any any eq bootpc
permit udp any any eq bootps
permit ip 192.168.20.0 0.0.0.255 host 192.168.17.10
deny ip 192.168.20.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.18.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.19.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
!