12-26-2007 08:00 AM - edited 03-03-2019 08:03 PM
I am using this switch in my lab for testing. There are no other layer 3 devices in my lab besided this switch. if I go ahead and set up my VLANs, can I still use access lists to allow or deny connectivity between different ports (devices) on different VLANs on this layer3 switch?
Example:
VLAN 1: 192.168.1.1
Device A: 192.168.1.10
VLAN2: 192.168.2.1
Device B: 192.168.2.10
Device C: 192.168.2.11
Device D: 192.168.2.12
How do I restrict access between Device C and Device A? In other words how can I let only Device B in VLAN2 communicate with Device A in VLAN1?
I know how to write the access list but not sure about the exact command. Would it be something like:
Access-list 101 extended permit tcp 192.168.2.10 192.68.1.10
Access-list 101 extended permit ip192.168.2.10 192.68.1.10
Where do I apply the access-group command?
Or should I use a standard access-list?
And since there is an implicit deny at the end of every access-list, all other nodes on VLAN2 will be denied accessing VLAN2, correct?
Thanks for your help.
12-26-2007 08:06 AM
Hi Friend,
Have a look at this link and I hope this will clear your doubts
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12240se/scg/swacl.htm#wp1285654
Please come back if you have any more doubts.
HTH
Ankur
*Pls rate all helpfull post
12-26-2007 08:07 AM
Configure
access-list 100 permit ip host 192.168.2.10 host 192.168.1.10
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
int vlan 2
ip access-group 100 in
The above access-list will allow device B to talk to only device A and deny all other communications because of the implicit deny at the end
HTH
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide