VLAN Security

Unanswered Question
Sep 12th, 2008
User Badges:

I currently have a 2960 witch with 2 VLANs on it (VLAN 99 and VLAN 102). The switches are connected to two 4507s via trunks.

I want the host in VLAN 99 to be able to communicate with only limited host in VLAN 102 on the 2 4507s.

I have included a drawing.

The only way I can figure to do that is by putting access-list on all the intefaces in the 4507, of course this makes no since.

Any ideas would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
merryllem Fri, 09/12/2008 - 17:06
User Badges:

The only place you would need to put an ACL is on vlan interface of VLAN 90.

ip access-list ext hello

permit ip h.h.h.h n.n.n.n h.h.h.h n.n.n.n

Int vlan 90

ip access-group hello in

dohogue Fri, 09/12/2008 - 17:56
User Badges:

Are you talking about putting an ACL on the int VLAN 99 on each of the 4507s?

I thought of that but felt that would only control traffic going to that particular int on either of the 2 4507s. It would not control traffic on any other interface.

I dont think the 4507 supports VACLs and isn't that what you are speaking of?

Marwan ALshawi Fri, 09/12/2008 - 18:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

first of all VACL filter trafic withing the same valn while ur case between two diffrent vlans

u can achived as mentioned by the prevouse post through ACL and apply it to vlan 99

for example lets say valn 99 is

and vlan 2 is

u want hosts in vlan 99 to communicate with only two hosts for eaxmple and

access-list 100 permit ip host

access-list 100 permit ip host

interface vlan 99

ip access-group 100 in

by the way those permited hosts in vlan 2 will only be able to communicate with hosts in vlan 99 because this ACL will filter the returen path for communication from 2 to 99 as well

if helpful Rate


This Discussion