Can you please help me with the following?
I currently have this scenario; I have two VLANs with two network ranges (192.168.2.0 and 192.168.200.0):
ip address 192.168.2.3 255.255.255.0
ip access-group Sub2 in
ip address 192.168.200.3 255.255.255.0
ip access-group Sub200 in
As you can see, I have two access lists defined, I will list below an example of how i'm configuring the access lists to allow communication between two hosts from the two VLANs:
On Sub2: permit ip host 192.168.2.9 host 192.168.200.124
On Sub200: permit ip host 192.168.200.124 host 192.168.2.9
So each time I want to allow communication between two hosts I need to add an entry for each of the two access lists as shown above. Each access list in applied in the IN direction to its respective subnet.
Now the problem is as follows:
I need to add a third VLAN3 and a third subnet. My plan is to do the following, please correct me if I'm wrong:
The new network range will be 192.168.3.0/24 and the new VLAN will be called Vlan3. I will create a new access list called Sub3 and apply it in the IN direction on Vlan3.
Then if I want to allow communication between a host on Vlan2 and a host on Vlan3:
I will add to Sub3 for example:
permit ip host 192.168.3.55 host 192.168.2.124
And I will add to Sub2:
permit ip host 192.168.2.124 host 192.168.3.55
I will have to do the same if I need to allow communication between hosts on Vlan200 and Vlan3.
Can you please confirm that this is the right thing to do and if it will do the job?
"Do you believe that this can be done in an "easier" way?"
Not really no. As Peter says you could use reflexive acl's or even CBAC which is an IOS firewall (altho it may not be supported on your device) which would allow you to maintain just one acl but even then you are still having to do specific src/dst entries.#
Edit - if you do find that this becomes unmanagebale because of the number of entries then you may want to question whether you have right devices on the right vlans ie. would moving certain devices into one of the other vlans negate the need for so many acl entries.