08-25-2016 02:13 PM - edited 03-08-2019 07:09 AM
I have following acl binded with vlan interface 10
access-list 100 permit tcp host 192.168.1.11 host 192.168.2.1
access-list 100 deny ip any any
But the above configuration block everything from vlan 10 to vlan 20 ..
I want only to allow one host to communicate with vlan 20 .. how to do it
08-25-2016 04:02 PM
Hi,
you maybe able to achive this in few ways,with little information I see on your post,You may be able to do something below
access-list 100 permit ip host 192.168.1.11 any
access-list 100 deny ip vlan10-network vlan10-mask vlan20-network vlan20-mask
access-list 100 permit any any
Apply the ACL to towards inbound of vlan10.
There your host 192.168.1.11 in vlan10 can access vlan20 and other networks. hosts in VLAN10 cannot access vlan 20 but everything else.Is that what you wanted?
Cheers,
Prabath
**Please rate all useful posts**
08-26-2016 02:12 AM
Yes i want only allow ip 11 from vlan 10 to communicate with vlan 20
Also other memebers of vlan 10 should communicate with eachother and with vlan 30
I tried your steps as follows
Switch(config)#access-list 100 permit ip host 192.168.1.11 any
Switch(config)#access-list 100 deny ip 192.168.1.1 255.255.255.0 192.168.2.1 255.255.255.0
Switch(config)#access-list 100 permit ip any any
Switch(config)#interface vlan 10
Switch(config-if)#ip access-group 10 in
The above not restricting other host from communicating vlan 10 ..
08-26-2016 02:28 AM
You ACL is not correct format try this
Switch(config)#access-list 100 permit ip host 192.168.1.11 any
Switch(config)#access-list 100 deny ip any 192.168.2.0 255.255.255.0
Switch(config)#access-list 100 permit ip any any
08-26-2016 02:44 AM
I am trying in packet tracer by the way
i have applied the above commands to interface vlan 10 inbound but even allows all the host from vlan 10 to communicate
08-26-2016 06:15 AM
Hello
Example: Allows only 1 host from vlan 10 into vlan 20, denies all other traffic from vlan 10
Edited-
Assumption is = 192.168.1.0/24
access-list 100 permit ip host 192.168.1.11 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
int vlan 20
ip access-group 100 out
res
Paul
08-26-2016 06:15 AM
access-list 100 deny ip x.x.x.x y.y.y.y ( vlan 10 range) any
how to write vlan 10 range .. my vlan 10 is from 192.168.1.1-192.168.1.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: