cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
4
Replies

intervlan access list

vishalpatil86
Level 1
Level 1

hi,

i have configured two vlans 10 and 20, 30 on 2960 switch and placed one router in between.

Its router on a stick configuration.

I want to deny traffic coming from vlan 10 to vlan 20, but allow from vlan 10 to vlan 30.

Pls suggest.

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

vishalpatil86 wrote:

hi,

i have configured two vlans 10 and 20, 30 on 2960 switch and placed one router in between.

Its router on a stick configuration.

I want to deny traffic coming from vlan 10 to vlan 20, but allow from vlan 10 to vlan 30.

Pls suggest.

vlan10 = 192.168.5.0/24

vlan 20 = 192.168.6.0/24

vlan 30 = 192.168.7.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any   <-- note this line allows traffic to vlan 30 and also any other traffic eg. internet traffic from vlan 10.

int gi0/1.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

ip access-group 101 in

Jon

vlan10 = 192.168.5.0/24

vlan 20 = 192.168.6.0/24

vlan 30 = 192.168.7.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list  101 permit ip 192.168.5.0 0.0.0.255 any   <-- note this line allows  traffic to vlan 30 and also any other traffic eg. internet traffic from  vlan 10.

int gi0/1.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

ip access-group 101 in

vlan 10 tarffic to vlan 20 is denied but want to allow vlan 20 traffic to vlan 10.

Ah, well then you need to use reflexive access-lists, see this link for details -

http://www.cisco.com/en/US/customer/docs/ios/12_2/security/configuration/guide/scfreflx.html

Jon

reflexive acl is not solution