Solved: Re: Access List on svi port (Multilayer Switch)

Manas · ‎11-08-2019

Here is my Simple configuration...

Switch#sh run

Building configuration...

Current configuration : 1668 bytes

!

version 12.2(37)SE1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

ip routing

!

spanning-tree mode pvst

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

switchport nonegotiate

!

interface FastEthernet0/2

switchport access vlan 20

switchport mode access

switchport nonegotiate

!

interface FastEthernet0/3

switchport access vlan 30

switchport mode access

switchport nonegotiate

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

mac-address 00e0.b054.9801

ip address 192.168.0.1 255.255.255.224

!

interface Vlan20

mac-address 00e0.b054.9802

ip address 192.168.0.33 255.255.255.224

!

interface Vlan30

mac-address 00e0.b054.9803

ip address 172.16.0.1 255.255.255.0

!

ip classless

!

ip flow-export version 9

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

In above configuration all vlan communicate with each other. But i want block communication between Vlan 10 and vlan 20. How i will block . Plese help me.

Leo Laohoo · ‎11-08-2019

Read this: Configuring IP Access Lists

View solution in original post

Manas · ‎11-10-2019

Your answer is right for question but I got the answer before ur post. So thanks alot for posting right answer.

View solution in original post

Leo Laohoo · ‎11-08-2019

Read this: Configuring IP Access Lists

luis_cordova · ‎11-09-2019

Hi @Manas

This can be achieved with a standard ACL.
Standard ACLs can block only by the source of the packet.

After all the lines of an ACL there is a deny any by default, so I recommend you to deny what you want and then allow everything else.
This is the structure:

access-list <1-99> <permit/deny> <source network> <wildcard>
access-list <1-99> permit any

Then, you must apply that ACL in the correct interface and indicate if the packets will be filtered when entering or exiting that interface (in/out).

This is the structure:

ip access-group <1~99> <in/out>

In your case, I recommend you deny the vlan 10 network and apply that ACL within the vlan 20 interface, in the outbound direction(out)

Try that and let us know if it worked for you.

Regards

Manas · ‎11-10-2019

Your answer is right for question but I got the answer before ur post. So thanks alot for posting right answer.