Solved: Re: VLAN ACL Question

cinmachina · ‎10-04-2010

Is it possible to limit traffic on a VLAN to ONLY that specific VLAN, with a hole poked in for a couple IP addresses?

Here's the scenario:

Want a network where the computers are only capable of talking to each other and ONE other server. I also need the ability for that server to penetrate that network, but NOTHING else.

Let's say it's VLAN 100

Let's say that network is 10.10.5.0/24

Let's say the server IP is 10.10.4.12/24

I would like this done on the main router, a 6509.

gatlin007 · ‎10-08-2010

In the simplest form you could use an ACL such as this:

access-list 100 permit ip host 10.10.4.12 10.10.5.0 0.0.0.255

int vlan 100
ip access-group 100 out
exit

*warning* this will not allow any hosts in 10.10.5.0/24 to communicate with hosts outside their network.

This will satisfy the requirement provided in the question:

Here's the scenario:

Want a network where the computers are only capable of talking to each other and ONE other server. I also need the ability for that server to penetrate that network, but NOTHING else.

크리스

View solution in original post

gatlin007 · ‎10-08-2010

In the simplest form you could use an ACL such as this:

access-list 100 permit ip host 10.10.4.12 10.10.5.0 0.0.0.255

int vlan 100
ip access-group 100 out
exit

*warning* this will not allow any hosts in 10.10.5.0/24 to communicate with hosts outside their network.

This will satisfy the requirement provided in the question:

Here's the scenario:

Want a network where the computers are only capable of talking to each other and ONE other server. I also need the ability for that server to penetrate that network, but NOTHING else.

크리스