How to block pcs under same vlan ?

kishore · ‎08-03-2017

I have router which is connected to a sg 350 switch.

The switch has vlan 10,20,30.

I have 2 pcs under vlan 20.

So, now using extended acl i want to block 2 pcs under vlan 20.

how to do this ? Please help me

Georg Pauwen · ‎08-04-2017

Hello,

what exactly do you want ? Block access from any of the VLANs to those two PCs in VLAN 20 ? Or block access between both PCs from within VLAN 20 ?

Below is an example of a VLAN Access List. In this example, the PCs with IP addresses 192.168.20.1 and 192.168.20.2 cannot communicate with each other, everything else in VLAN 20 can:

ip access-list extended VLAN_ACL
deny ip host 192.168.20.1 host 192.168.20.2
deny ip host 192.168.20.2 host 192.168.20.1
permit ip any any
!
vlan access-map VACL
match ip address VLAN_ACL
action forward
!
vlan filter VACL vlan-list 20

kishore · ‎08-04-2017

Actually i want to block the pcs from communicating each other within same vlan, which must be implemented in CISCO Packet tracer without using VACL but one should use only extended acl.

the above may be true in real case.

Please help me

Georg Pauwen · ‎08-04-2017

Hello,

Cisco Packet Tracer does not support VACLs, so you cannot test it there. It will work though in a 'real' network.

paul driver · ‎08-05-2017

Hello

Actually i want to block the pcs from communicating each other within same vlan

on each port

int x/x
switchport protected

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

kishore · ‎08-04-2017

I have 3 routers i want to communicate them using nat feature. But should not use any routing protocols. How to do using nat ?

Please help me.

Georg Pauwen · ‎08-04-2017

Can you post the configs of the routers, or, if it is a Packet Tracer file, the zipped .pkt ?

kishore · ‎08-04-2017

I haven't not yet configured yet.

Georg Pauwen · ‎08-04-2017

Hello,

this should meet your requirement:

CORP 1

access-list 101 permit host 192.168.201.2 host 172.22.237.17 eq www
access-list 101 deny ip any 172.22.237.17
access-list 101 permit ip any host 172.22.237.18

interface GigabitEthernet0/0
ip access-group 101 out

kishore · ‎08-05-2017

Yes surely this can be implemented in using routing protocols.

But i want to implement this without using any routing protocol, but using only NAT/PAT concepts.

That is i want to send the routing information using nat / pat concepts only.

Please help me. Thanks in advance.

paul driver · ‎08-06-2017

Hello

You hase asked two completely different question in one post?

But to summarize:

1)

Actually i want to block the pcs from communicating each other within same vlan

on each port

int x/x
switchport protected

2)

I have 3 routers i want to communicate them using nat feature. But should not use any routing protocols. How to do using nat

Do you need to use nat, It doesn't state to use nat in your task, and also it looks like the router is directly connected to the web/finance servers so nat wouldn't really work unless the link between corp1 and the switch is on a different subnet?

Below is a solution involving a 3 ace numbered acl that would be applied outbound on corp 1 router gig0/0 interface

access-list 100 permit tcp host 192.168.201.2 host 172.22.237.17 eq www
access-list 100 permit tcp host 198.18.132.65 host 172.22.237.18 eq www
access-list 100 permit tcp 192.168.201.0 0.0.0.255 host 172.22.237.18 eq www

in gig0/0
ip access-group 100 out
ip proxy-arp

int gig0/1
no ip unreachables
no

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul