Ya. that's a mistake. Thanks.

biju.thekkoot1 · ‎02-27-2016

I have a layer 3 switch which has different vlans configured. layer 3 connected to layer 2 switches (2960) and one of the port in layer 2 (vlan 23) is connected to a router(on port 22 of layer 2) . I need to open the incoming communication in to the router(192.168.23.17) but block all outgoing communication from the router. i have created the access list in layer 3 switch and blocked the outgoing communication from router .Now the Issue is while blocking , the incoming communication is not working properly. Please help me with proper commands

Please see the steps done in layer 3

interface Vlan23

ip address 192.168.23.1 255.255.255.0

ip access-group 1 out

access-list 111 deny ip host 192.168.23.17 192.168.16.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.17.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.18.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.19.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.20.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.21.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.22.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.23.0 0.0.0.255

access-list 111 deny ip host 192.168.23.17 192.168.24.0 0.0.0.255

access-list 111 permit ip 192.168.23.0 0.0.0.255 any

Philip D'Ath · ‎02-28-2016

On your VLAN you are using access-list 1, you you have configured 111.

biju.thekkoot1 · ‎02-28-2016

Ya. that's a mistake. Thanks. if I do the following way, communication from core switch to the ip 192.168.23.17(router ip) will be available but no outgoing communication from 192.168.23.17? Is it possible to give single outgoing communication from 192.168.23.17 to a wan ip which is configured in firewall and mapped with 192.168.23.17? please advice. Thanks

interface Vlan23

ip address 192.168.23.1 255.255.255.0

ip access-group 111 out