Solved: Access-list Doubt

wajid dabir · ‎01-13-2014

Hi,

my core switch have total no.of 12 vlans from vlan 1 -12.ip range 192.168.1.0 -192.168.12.0/252

my requirement is all vlan only communicate with VLAN 1 , not with each other.

Can someone guide me to configure ACL for this scenarioa.

John Blakley · ‎01-13-2014

If your switch supports vrf, you'd be better going with that. If not, you'll need an acl for every vlan svi. That's going to be very hard to maintain.

ip access-list ext 102

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip any any

int vlan 2

ip access-group 102 in

ip access-list ext 103

permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip any any

int vlan 2

ip access-group 103 in

Etc...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎01-13-2014

If your switch supports vrf, you'd be better going with that. If not, you'll need an acl for every vlan svi. That's going to be very hard to maintain.

ip access-list ext 102

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip any any

int vlan 2

ip access-group 102 in

ip access-list ext 103

permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip any any

int vlan 2

ip access-group 103 in

Etc...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎01-13-2014

Wajid

192.168.1.0 -192.168.12.0/252

the /252 makes no sense. What is the actual range in use ?

Are there any other 192.168.x.0/24 networks that should be allowed access between each other ?

Jon