08-01-2009 04:41 AM - edited 03-06-2019 07:02 AM
Most of my users are on VLAN12. They are your basic user (clueless and dangerous, lol). I have a sensitive network on VLAN11 and only 2 people on 12 need access to 11. I'd like to block everyone else.
Can someone give me an idea of the ACL I would have to write to do this? These are 3560s and 3560Gs. No router in the net.
Thank you!
Solved! Go to Solution.
08-01-2009 08:12 AM
My 2nd ACL will block traffic just for Vlan12 while allowing the 2 host from Vlan12 as well as the remaining subnets incoming traffic to Vlan11.
The order in the ACL matters, so make sure you have the 2 hosts from Vlan12 listed first, then have a deny for Vlan12 to the entire subnet and last ACL entry will have a permit any.
HTH,
__
Edison.
08-01-2009 06:44 AM
ip access-list standard VLAN12
permit [ip address of the host]
permit [ip address of the host]
interface vlan 11
ip access-group VLAN12 in
Does Vlan11 need to reach other devices - i.e - internet?
If so, the ACL must be like:
ip access-list standard VLAN12
permit [ip address of the host]
permit [ip address of the host]
deny [vlan 12 subnet]
permit any
HTH,
__
Edison.
08-01-2009 07:56 AM
Yes VLAN 11 needs access to the Net as well as a VLAN 15. Both VLANs need access to my two VOIP VLANS.
Do I need to allocate for those as well?
08-01-2009 08:12 AM
My 2nd ACL will block traffic just for Vlan12 while allowing the 2 host from Vlan12 as well as the remaining subnets incoming traffic to Vlan11.
The order in the ACL matters, so make sure you have the 2 hosts from Vlan12 listed first, then have a deny for Vlan12 to the entire subnet and last ACL entry will have a permit any.
HTH,
__
Edison.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: