×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can you help me with this ( vlan,accesslist,management )

Unanswered Question
Feb 14th, 2014
User Badges:

vlan setup.png

here's the scenario I have two vlan 10 & 20


I have 2 switch and 1 router


the target of this setup is that vlan 10 can ping or reach vlan 20 but vlan 20 cannot be reach or ping vlan 10 it is that possible



Here's the setup


In SW0



vlan 10

name Management


interface FastEthernet0/1

switchport access vlan 10

switchport mode access


interface FastEthernet0/2

switchport trunk allowed vlan 10

switchport mode trunk


In SW1



interface FastEthernet0/1

switchport trunk allowed vlan 20

switchport mode trunk


interface FastEthernet0/2

switchport access vlan 20

switchport mode access


interface FastEthernet0/3

switchport access vlan 20

switchport mode access



In Router



interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

ip access-group 1 out

!

interface FastEthernet0/0.20

no ip address

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip access-group 1 out

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 1 deny 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 deny host 192.168.20.11

access-list 1 permit host 192.168.10.11

access-list 1 deny any

access-list 1 permit any






Im new so i dont know if my setup is correct ...




can any1 help me about this,,,




thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cadet alain Sat, 02/15/2014 - 04:18
User Badges:
  • Purple, 4500 points or more

Hi,

let's suppose PC0(Vlan 10) wants to communicate with PC1(Vlan 20):

-traffic enters f0/0.10 with src 10.11 and dst 20.11 and it is forwarded out f0/1.20 where there is an egress ACL

-this is a standard ACL so it matches on source only and there is a hit for second entry permit 192.168.10.0 0.0.0.255

-now PC1 replies and traffic enters f0/1.20 and is forwarded out f0/0.10 where there is egress ACL

-there is a hit on first entry  deny 192.168.20.0 0.0.0.255( packet src is 20.11 and dst 10.11)

So end result is that Vlan 10 cannot reach Vlan 20.

I don't think this is what you wanted

Now of course traffic sourced from any PC in Vlan 20 destined to PC0 is filtered as you wanted because  it is filtered on f0/0.10 outbound as above.

ACLs are stateless and communication in TCP/IP is bidirectional so the best way to achieve what you want to do if you want to filter more than Pings would be to use CBAC or ZBF or reflexive ACLs


Regards


Alain



Don't forget to rate helpful posts.

Actions

This Discussion