10-24-2022 12:14 PM
Hello,
we have HR in vlan 50 ip range 10.50.50.0/24 and IT in vlan 30 ip range 10.30.30.0/24 at the same layer 3 switch. (C9500)
I need to let the IT only can connect to HR from Vlan 30 to Vlan 50. and HR blocked to connect to IT.
Your help is appreciated.
Thanks,
10-24-2022 12:31 PM
how about example like below :
SWITCH(config)#access-list 100 deny ip 10.50.50.0 0.0.0.255 10.30.30.0 0.0.0.255
SWITCH(config)#access-list 100 permit ip any any
SWITCH(config)#int vlan 50
SWITCH(config-if)#ip access-group 100 in
10-25-2022 03:42 PM
Hello Balaji,
Thank you for your replay
Can I used it with extended ACL as we use it as the below:
#ip access-list extended IT (config)
#100 deny ip 10.50.50.0 0.0.0.255 10.30.30.0 0.0.0.255
#500 permit ip any any
so can I allow the connection from IT to HR only
Thanks
10-26-2022 11:23 AM
Sure you can use depends on your convenience to use.
10-26-2022 12:32 PM
That won't work because that acl will also block return traffic from HR to IT because acls are not stateful.
As MHM says you need reflexive acls or a firewall to make that work.
If it is just TCP connections you could also look at the "established" keyword.
Jon
10-26-2022 11:27 AM - edited 10-26-2022 11:27 AM
""I need to let the IT only can connect to HR from Vlan 30 to Vlan 50. and HR blocked to connect to IT.""
that from my view can not except the case reflexive-ACL
https://networklessons.com/cisco/ccie-routing-switching/reflexive-access-list
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide