04-05-2011 05:48 AM - edited 03-06-2019 04:27 PM
hi,
i have configured two vlans 10 and 20, 30 on 2960 switch and placed one router in between.
Its router on a stick configuration.
I want to deny traffic coming from vlan 10 to vlan 20, but allow from vlan 10 to vlan 30.
Pls suggest.
04-05-2011 05:54 AM
vishalpatil86 wrote:
hi,
i have configured two vlans 10 and 20, 30 on 2960 switch and placed one router in between.
Its router on a stick configuration.
I want to deny traffic coming from vlan 10 to vlan 20, but allow from vlan 10 to vlan 30.
Pls suggest.
vlan10 = 192.168.5.0/24
vlan 20 = 192.168.6.0/24
vlan 30 = 192.168.7.0/24
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any <-- note this line allows traffic to vlan 30 and also any other traffic eg. internet traffic from vlan 10.
int gi0/1.10
encapsulation dot1q 10
ip address 192.168.5.1 255.255.255.0
ip access-group 101 in
Jon
04-05-2011 07:36 AM
vlan10 = 192.168.5.0/24
vlan 20 = 192.168.6.0/24
vlan 30 = 192.168.7.0/24
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any <-- note this line allows traffic to vlan 30 and also any other traffic eg. internet traffic from vlan 10.
int gi0/1.10
encapsulation dot1q 10
ip address 192.168.5.1 255.255.255.0
ip access-group 101 in
vlan 10 tarffic to vlan 20 is denied but want to allow vlan 20 traffic to vlan 10.
04-05-2011 09:58 AM
Ah, well then you need to use reflexive access-lists, see this link for details -
http://www.cisco.com/en/US/customer/docs/ios/12_2/security/configuration/guide/scfreflx.html
Jon
04-06-2011 12:18 AM
reflexive acl is not solution
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide