Hello
I have some Catalyst 3560's that has about 10 VLANs setup on them. I want to isolate a few VLAN's from being able to access certain VLAN's but only in one direction. For example:
Vlan 100 is 10.10.100.0/24
Vlan 200 is 192.168.100.0/24
I would like a host in Vlan 100 to be able to initiate a session with a host Vlan 200 but at the same time, I don't want a host in Vlan 200 to be able to initialize a session with a host in Vlan 100. Kinda like a PIX/ASA DMZ ACL. Is this possible? When I try putting an ACL on the Vlan interface like below, it does not work. This is because once a host in vlan 100 (10.10.100.x) initiates a session with a host in vlan 200 (192.168.100.x), the second acl blocks the return traffic. Any suggestions?
access-list 115 permit ip 10.10.100.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 115 deny ip 192.168.100.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 115 permit ip 192.168.100.0 0.0.0.255 any
Interface Vlan200
ip address 192.168.100.1 255.255.255.0
ip access-group 115 in
Thanks
Colin