VLAN access list

Unanswered Question
Oct 6th, 2008

Hi in my catalyst 4503 switch ,i want block traffic from vlan2 to vlan3 .but allow traffic from vlan3 to vlan2.pls tell me the commands

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 10/07/2008 - 11:38

How about an ACL? Let's assume vlan 2 is 192.168.2.0 /24 and vlan 3 is 192.168.3.0 /24.

ip access-list extended BLOCK-V2-V3

permit ip any any established

deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip any any

Then apply it to the VLAN interface-

ip access-group BLOCK-V2-V3 out

Certainly double check my work before implementing.

Hope that helps.

acomiskey Tue, 10/07/2008 - 11:54

One small correction. You can only use "tcp" with established keyword.

permit tcp any any established

You can then apply either way you like.

int vlan 2

access-group BLOCK-V2-V3 in

or

int vlan 3

access-group BLOCK-V2-V3 out

mahendran.a Wed, 10/08/2008 - 21:36

Hey Collin

Thank u for your reply. I tried to configure this command ,but in the permit ip any any established command,the esablished is not working.Could u suggest me wat is the issue

My current version

Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA6, RELEASE

SOFTWARE (fc1)

acomiskey Thu, 10/09/2008 - 09:23

See my previous post. You cannot use "ip" with the established command just as you cannot use it for "udp". It must be "tcp".

permit tcp any any established

Actions

This Discussion