Access-list Switch 3750

Unanswered Question
Aug 27th, 2007
User Badges:

Hello,

I request your assistance to set up access-list in order to prohibit the dialogue between VLANs. In my config I have 10 VLANs and I would not like that they discuss between them, but except my VLAN 4 (Administration) I have my dhcp configured above.


In short: 10 VLANs and allow just the dialogue with the VLAN 4 and to prohibit all.


Herewith my config current of the switch:


Thank you



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 08/27/2007 - 01:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


access-list 101 permit ip any 192.168.0.0 0.0.0.255

access-list 101 permit deny ip any any


interface vlan2

ip access-group 101 in


interface vlan3

ip access-group 101 in


Couple of things to note


1) This will only allow vlan 2 / 3 etc. to talk to vlan 4. They will not be allowed to talk to any other destination IP addresses.


2) You don't have to use the same access-list number (101) for every vlan interface if you don't want.


3) If you want to allow your vlans to talk to external IP addresses other than those on the switch your access-list would look


for vlan 2


access-list 101 permit ip any 192.168.0.0 0.0.0.255

access-list 101 deny ip any 192.168.3.0 0.0.0.255

access-list 101 deny ip any 192.168.6.0 0.0.0.255

etc... for each of your vlans

access-list 101 permit ip any any


HTH


Jon

amirovic13 Mon, 08/27/2007 - 03:29
User Badges:

Thank you very much for your assistance. I will test and I will keep you informed

amirovic13 Mon, 08/27/2007 - 03:34
User Badges:

What is the difference if I change the access-list number for every VLANs ??


Jon Marshall Mon, 08/27/2007 - 06:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If you wanted to see how many hits per vlan you are getting then use separate access-lists or if you need to be more granular and the rules are not exactly the same per vlan.


HTH


Jon

Actions

This Discussion