02-14-2014 06:52 PM - edited 03-07-2019 06:13 PM
here's the scenario I have two vlan 10 & 20
I have 2 switch and 1 router
the target of this setup is that vlan 10 can ping or reach vlan 20 but vlan 20 cannot be reach or ping vlan 10 it is that possible
Here's the setup
In SW0
vlan 10
name Management
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
interface FastEthernet0/2
switchport trunk allowed vlan 10
switchport mode trunk
In SW1
interface FastEthernet0/1
switchport trunk allowed vlan 20
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
interface FastEthernet0/3
switchport access vlan 20
switchport mode access
In Router
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group 1 out
!
interface FastEthernet0/0.20
no ip address
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group 1 out
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 1 deny 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 deny host 192.168.20.11
access-list 1 permit host 192.168.10.11
access-list 1 deny any
access-list 1 permit any
Im new so i dont know if my setup is correct ...
can any1 help me about this,,,
thanks.
02-15-2014 04:18 AM
Hi,
let's suppose PC0(Vlan 10) wants to communicate with PC1(Vlan 20):
-traffic enters f0/0.10 with src 10.11 and dst 20.11 and it is forwarded out f0/1.20 where there is an egress ACL
-this is a standard ACL so it matches on source only and there is a hit for second entry permit 192.168.10.0 0.0.0.255
-now PC1 replies and traffic enters f0/1.20 and is forwarded out f0/0.10 where there is egress ACL
-there is a hit on first entry deny 192.168.20.0 0.0.0.255( packet src is 20.11 and dst 10.11)
So end result is that Vlan 10 cannot reach Vlan 20.
I don't think this is what you wanted
Now of course traffic sourced from any PC in Vlan 20 destined to PC0 is filtered as you wanted because it is filtered on f0/0.10 outbound as above.
ACLs are stateless and communication in TCP/IP is bidirectional so the best way to achieve what you want to do if you want to filter more than Pings would be to use CBAC or ZBF or reflexive ACLs
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide