VLAN Security on a 3560 switch

Unanswered Question
Dec 26th, 2007

I am using this switch in my lab for testing. There are no other layer 3 devices in my lab besided this switch. if I go ahead and set up my VLANs, can I still use access lists to allow or deny connectivity between different ports (devices) on different VLANs on this layer3 switch?



Device A:


Device B:

Device C:

Device D:

How do I restrict access between Device C and Device A? In other words how can I let only Device B in VLAN2 communicate with Device A in VLAN1?

I know how to write the access list but not sure about the exact command. Would it be something like:

Access-list 101 extended permit tcp

Access-list 101 extended permit ip192.168.2.10

Where do I apply the access-group command?

Or should I use a standard access-list?

And since there is an implicit deny at the end of every access-list, all other nodes on VLAN2 will be denied accessing VLAN2, correct?

Thanks for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
royalblues Wed, 12/26/2007 - 08:07


access-list 100 permit ip host host

access-list 100 deny ip

int vlan 2

ip access-group 100 in

The above access-list will allow device B to talk to only device A and deny all other communications because of the implicit deny at the end




This Discussion