10-23-2007 06:50 AM - edited 03-05-2019 07:15 PM
I'm trying to restict access between these two VLAN's the design is simple, just restrict anything (IP) in the 10.1.20.X range from getting to the 10.1.10.X range. I've been toying with reflexive's but cannot seem to get it to work.
interface Vlan10
description **Staff**
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.3.2
!
interface Vlan20
description **Students1**
ip address 10.1.20.1 255.255.254.0
ip access-group student2staff in
ip helper-address 10.1.3.2
ip access-list extended staff2student
permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255 reflect staffreturn
permit ip any any
ip access-list extended student2staff
permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255
evaluate staffreturn
permit icmp 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255 echo-reply
deny ip 10.1.20.0 0.0.1.255 10.254.0.0 0.0.255.255
deny ip 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255
deny ip 10.1.20.0 0.0.1.255 10.250.0.0 0.0.255.255
permit ip any any
10-24-2007 09:21 AM
interface Vlan20
description **Students1**
ip address 10.1.20.1 255.255.254.0
Please check the subnet mask.
regards
shivlu
10-24-2007 10:42 AM
What do you see wrong with the subnet mask? The students subnet needs to be 10.1.20.0 - 10.1.21.254
10-24-2007 10:57 AM
So you want to block traffic from students to staff. Do you want there to be any communication from the staff to students?
10-24-2007 10:58 AM
nothing should be blocked from staff to students
10-24-2007 11:02 AM
Since the ACL is one-way, so many statements are not req. Simply:
ip access-list extended student2staff
deny ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255
permit ip any any
10-24-2007 11:09 AM
That would work but I assume this is a switch which is not stateful. Therefore if staff tried to contact students, the return traffic from the students would be blocked by the deny line in the acl. And it would actually be...
ip access-list extended student2staff
deny ip 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255
permit ip any any
10-24-2007 11:14 AM
Since the ACL is inbound on student vlan, it wud chk only traffic originated by tht vlan. SInce there is no acl outbound on this vlan, all traffic towards students shud flow without hampering.
10-24-2007 11:20 AM
The definition of inbound in this case is really inbound to a student vlan port. Therefore any traffic originating from a student machine would be checked against this acl, including replies from traffic originated by staff.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide