intervlan access list

vishalpatil86 · ‎04-05-2011

hi,

i have configured two vlans 10 and 20, 30 on 2960 switch and placed one router in between.

Its router on a stick configuration.

I want to deny traffic coming from vlan 10 to vlan 20, but allow from vlan 10 to vlan 30.

Pls suggest.

Jon Marshall · ‎04-05-2011

vishalpatil86 wrote:

hi,

i have configured two vlans 10 and 20, 30 on 2960 switch and placed one router in between.

Its router on a stick configuration.

I want to deny traffic coming from vlan 10 to vlan 20, but allow from vlan 10 to vlan 30.

Pls suggest.

vlan10 = 192.168.5.0/24

vlan 20 = 192.168.6.0/24

vlan 30 = 192.168.7.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any <-- note this line allows traffic to vlan 30 and also any other traffic eg. internet traffic from vlan 10.

int gi0/1.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

ip access-group 101 in

Jon

vishalpatil86 · ‎04-05-2011

vlan10 = 192.168.5.0/24

vlan 20 = 192.168.6.0/24

vlan 30 = 192.168.7.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any <-- note this line allows traffic to vlan 30 and also any other traffic eg. internet traffic from vlan 10.

int gi0/1.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

ip access-group 101 in

vlan 10 tarffic to vlan 20 is denied but want to allow vlan 20 traffic to vlan 10.

Jon Marshall · ‎04-05-2011

Ah, well then you need to use reflexive access-lists, see this link for details -

http://www.cisco.com/en/US/customer/docs/ios/12_2/security/configuration/guide/scfreflx.html

Jon

vishalpatil86 · ‎04-06-2011

reflexive acl is not solution