Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACLs to protect VLAN

Most of my users are on VLAN12. They are your basic user (clueless and dangerous, lol). I have a sensitive network on VLAN11 and only 2 people on 12 need access to 11. I'd like to block everyone else.

Can someone give me an idea of the ACL I would have to write to do this? These are 3560s and 3560Gs. No router in the net.

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: ACLs to protect VLAN

My 2nd ACL will block traffic just for Vlan12 while allowing the 2 host from Vlan12 as well as the remaining subnets incoming traffic to Vlan11.

The order in the ACL matters, so make sure you have the 2 hosts from Vlan12 listed first, then have a deny for Vlan12 to the entire subnet and last ACL entry will have a permit any.

HTH,

__

Edison.

3 REPLIES
Hall of Fame Super Bronze

Re: ACLs to protect VLAN

ip access-list standard VLAN12

permit [ip address of the host]

permit [ip address of the host]

interface vlan 11

ip access-group VLAN12 in

Does Vlan11 need to reach other devices - i.e - internet?

If so, the ACL must be like:

ip access-list standard VLAN12

permit [ip address of the host]

permit [ip address of the host]

deny [vlan 12 subnet]

permit any

HTH,

__

Edison.

Community Member

Re: ACLs to protect VLAN

Yes VLAN 11 needs access to the Net as well as a VLAN 15. Both VLANs need access to my two VOIP VLANS.

Do I need to allocate for those as well?

Hall of Fame Super Bronze

Re: ACLs to protect VLAN

My 2nd ACL will block traffic just for Vlan12 while allowing the 2 host from Vlan12 as well as the remaining subnets incoming traffic to Vlan11.

The order in the ACL matters, so make sure you have the 2 hosts from Vlan12 listed first, then have a deny for Vlan12 to the entire subnet and last ACL entry will have a permit any.

HTH,

__

Edison.

471
Views
5
Helpful
3
Replies
CreatePlease to create content