I am configuring a 3560 switch has 3 VLANs i.e.
vlan 223 - server - 10.4.223.0 /24 - 10.4.223.1
vlan 224 - user - 10.4.224.0 /24 - 10.4.224.1
vlan 225. - internet - 10.4.225.0 /24 - 10.4.225.2
10.4.225.1 is the gw for isp from the switch which i am using as a next hop on the switch.
vlan 225 in which a isp is conneced for internet, i want only to allow only udp for 10.4.223.2. rest ips should not go to the internet but vlan 224 and vlan 225 should access vlan 223.
i am writing the access list but it's not working
ip access-list extended Subnet_Vlan223
permit udp any 10.4.223.1 0.0.0.255 eq 53
deny ip host 10.4.225.1 10.4.224.3 0.0.0.252 - i want from 10.4.224.3-254 host should be blocked from communicating with 10.4.225.1
permit ip any any
ip access-group Subnet_Vlan223 in
The first IP should be the source and the second destination. Since this is a inbound access-list, your ACL looks backwards.
The deny statement may need to be written as two lines: allow .2 to access .1, deny the whole Class C network from getting to .1