08-27-2007 01:48 AM - edited 03-05-2019 06:07 PM
Hello,
I request your assistance to set up access-list in order to prohibit the dialogue between VLANs. In my config I have 10 VLANs and I would not like that they discuss between them, but except my VLAN 4 (Administration) I have my dhcp configured above.
In short: 10 VLANs and allow just the dialogue with the VLAN 4 and to prohibit all.
Herewith my config current of the switch:
Thank you
08-27-2007 01:59 AM
Hi
access-list 101 permit ip any 192.168.0.0 0.0.0.255
access-list 101 permit deny ip any any
interface vlan2
ip access-group 101 in
interface vlan3
ip access-group 101 in
Couple of things to note
1) This will only allow vlan 2 / 3 etc. to talk to vlan 4. They will not be allowed to talk to any other destination IP addresses.
2) You don't have to use the same access-list number (101) for every vlan interface if you don't want.
3) If you want to allow your vlans to talk to external IP addresses other than those on the switch your access-list would look
for vlan 2
access-list 101 permit ip any 192.168.0.0 0.0.0.255
access-list 101 deny ip any 192.168.3.0 0.0.0.255
access-list 101 deny ip any 192.168.6.0 0.0.0.255
etc... for each of your vlans
access-list 101 permit ip any any
HTH
Jon
08-27-2007 03:29 AM
Thank you very much for your assistance. I will test and I will keep you informed
08-27-2007 03:34 AM
What is the difference if I change the access-list number for every VLANs ??
08-27-2007 06:58 AM
Hi
If you wanted to see how many hits per vlan you are getting then use separate access-lists or if you need to be more granular and the rules are not exactly the same per vlan.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: