07-10-2018 02:30 AM - edited 03-05-2019 10:44 AM
Hello
I have Cisco R2811 and multiple Switch 2960, I want to VLAN 90 cannot access to other vlans and other vlans can connect to it (ex : 445,139,...) but it doesn't work, I have configured SVI for Cisco R2811 as follows:
Cisco 2811:
Interfaces:
interface FastEthernet0/1 description LAN no ip address ip flow ingress duplex full speed auto no cdp enable ! interface FastEthernet0/1.10 encapsulation dot1Q 1 native ip address 192.168.10.1 255.255.254.0 ip helper-address 192.168.10.100 glbp 1 ip 192.168.10.254 glbp 1 timers msec 250 msec 750 glbp 1 timers redirect 2 40000 glbp 1 priority 200 glbp 1 preempt glbp 1 weighting 100 lower 90 upper 95 glbp 1 authentication md5 key-string 7 01120407 glbp 1 weighting track 1 decrement 20 ! interface FastEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip helper-address 192.168.10.100 glbp 2 ip 192.168.20.254 glbp 2 timers msec 250 msec 750 glbp 2 timers redirect 2 40000 glbp 2 priority 200 glbp 2 preempt glbp 2 weighting 100 lower 90 upper 95 glbp 2 authentication md5 key-string 7 13041511 glbp 2 weighting track 1 decrement 20 ! interface FastEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip helper-address 192.168.10.100 glbp 3 ip 192.168.30.254 glbp 3 timers msec 250 msec 750 glbp 3 timers redirect 2 40000 glbp 3 priority 200 glbp 3 preempt glbp 3 weighting 100 lower 90 upper 95 glbp 3 authentication md5 key-string 7 13041511 glbp 3 weighting track 1 decrement 20 ! interface FastEthernet0/1.50 description VOICE VLAN encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 ip helper-address 192.168.10.100 glbp 5 ip 192.168.50.254 glbp 5 timers msec 250 msec 750 glbp 5 timers redirect 2 40000 glbp 5 priority 200 glbp 5 preempt glbp 5 weighting 100 lower 90 upper 95 glbp 5 authentication md5 key-string 7 12180714 glbp 5 weighting track 1 decrement 20 ! interface FastEthernet0/1.90 description WIRELESS-VLAN encapsulation dot1Q 90 ip address 192.168.90.1 255.255.254.0 ip access-group TEST in ip helper-address 192.168.10.100 glbp 9 ip 192.168.90.254 glbp 9 timers msec 250 msec 750 glbp 9 timers redirect 2 40000 glbp 9 priority 200 glbp 9 preempt glbp 9 weighting 100 lower 90 upper 95 glbp 9 authentication md5 key-string 7 00051105 glbp 9 weighting track 1 decrement 20
Access-List
ip access-list extended TEST permit ip any host 192.168.10.254 permit ip any host 192.168.10.100 permit ip any host 192.168.10.30 deny ip any 192.168.10.0 0.0.1.255 deny ip any 192.168.20.0 0.0.1.255 deny ip any 192.168.30.0 0.0.1.255 permit ip any any
VLAN 90 blocked and other vlans cannot access to vlan 90
ip access-list extended TEST permit ip any host 192.168.10.254 permit ip any host 192.168.10.100 permit ip any host 192.168.10.30 permit icmp any 192.168.10.0 0.0.1.255 echo-reply
permit icmp any 192.168.20.0 0.0.1.255 echo-reply
permit icmp any 192.168.30.0 0.0.1.255 echo-reply deny tcp any 192.168.10.0 0.0.1.255 deny tcp any 192.168.20.0 0.0.1.255 deny tcp any 192.168.30.0 0.0.1.255 permit ip any any
VLAN 90 blocked and other vlans cannot access to vlan 90 but other vlans can ping to VLAN 90.
Can someone help me configure as desired?
Thank you.
Sang.
07-10-2018 02:55 AM
Hi, try this:
ip access-group TEST out
ip access-list extended TEST
deny ip 192.168.10.0 0.0.1.255 192.168.90.0 0.0.1.255
deny ip 192.168.20.0 0.0.1.255 192.168.90.0 0.0.1.255
deny ip 192.168.30.0 0.0.1.255 192.168.90.0 0.0.1.255
permit ip any any
07-10-2018 07:55 PM - edited 07-11-2018 01:12 AM
Hi Daniele,
After checking your code and it doesn't work then I configured it as follows and it worked.
ip access-group TEST in
10 permit tcp any 192.168.30.0 0.0.0.255 established log
11 deny tcp any 192.168.30.0 0.0.0.255 log
20 permit ip any any
Thanks for your suggestions.
Sang.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: