who can help me with this ACL problem

diablo_mtc · ‎09-23-2007

hi experts,

I have a layer 3 switch and i am trying to accomplish this task: there are two VLAN , supposed VLAN 10 and VLAN 20 , I want PCs in VLAN 10 can ping VLAN 20 but PCs in VLAN 20 can not ping PCs in VLAN 10 , anyone can give me some advises?

thank you!

spremkumar · ‎09-23-2007

hi

check for Firewalls in the client pc and also for ACLs under the vlans.

if possible do post out the config here.

regds

diablo_mtc · ‎09-23-2007

thankyou for replying

i am afraid you do not understand what i mean, or maybe i do not express clearly. what i want to do is that PCs in vlan 10 can ping PCs in vlan 20 but PCs in vlan 20 can not ping PCs in vlan 10. just some kind of one direction communication.

aboelhouwers · ‎09-24-2007

Create an extended incoming access-list on interface vlan 20 with the following entries:

permit icmp any any echo-reply

deny ip any any

aboelhouwers · ‎09-24-2007

sorry, I meant outgoing access-list: for example

interface vlan 20

ip address

ip access-group out

diablo_mtc · ‎09-24-2007

how about TCP connections?

Does PCs in VLAN 20 can open TCP/UDP connection to PCs in VLAN 10?

Edison Ortiz · ‎09-24-2007

ip access-list extended Vlan20_IN

deny icmp [vlan20 subnet] any echo

permit ip any any

interface vlan 10

ip access-group Vlan20_IN