Its Layer 3 and port 48 is just an upstream to a generic router so I have to route and manage these VLANs inside of the switch.

But how would I then allow VLAN 10 to speak with 20 and could you give an example of the ACL?

Hi,

I am sharing an example where communication is not allowed between VLAN 2 and VLAN 3.

interface Vlan2
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255  
!
access-list 102 permit ip any any
!
vlan access-map test 10
 match ip address 101
 action drop

!
vlan access-map test 20
 match ip address 102
 action forward
!
vlan filter test vlan-list 2

! (ACL applied on VLAN 2)

Regards,

Deepak Kumar

So that example right there would allow for VLAN 2 & 3 to speak to anything anywhere, but 20 is restricted?

Hi

No.. In the above example, ACL 101 has been dropped in the VLAN access map test (10). Means any Traffic between LAN 2 and Lan 3 are blocked in access map.

Final result: VLAN 2 and VLAN 3 will not communicate with each other. All other traffic will flow without any restriction. 

Regards,

Deepak Kumar

There are different solutions.

What @Deepak Kumar said is one of them.

There is also R-ACL that will looks like:

Let's assume your vlan 21 is 192.168.21.0/24 and your gateway to reach internet is 192.168.10.1.

Ip access-list extended GUEST

 permit ip 192.168.21.0 0.0.0.255 host 192.168.10.1

 deny ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255

 Deny ip 192.168.21.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255

 permit ip 192.168.21.0 0.0.0.255 any

Interface vlan 21

  ip access-group GUEST IN

This will deny guest to reach any rfc1918 subnets and allow to access anything else (internet)

So, does that mean at this moment that all VLANs can talk to one another?