Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can you help me with this ( vlan,accesslist,management )

vlan setup.png

here's the scenario I have two vlan 10 & 20

I have 2 switch and 1 router

the target of this setup is that vlan 10 can ping or reach vlan 20 but vlan 20 cannot be reach or ping vlan 10 it is that possible

Here's the setup

In SW0

vlan 10

name Management

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

interface FastEthernet0/2

switchport trunk allowed vlan 10

switchport mode trunk

In SW1

interface FastEthernet0/1

switchport trunk allowed vlan 20

switchport mode trunk

interface FastEthernet0/2

switchport access vlan 20

switchport mode access

interface FastEthernet0/3

switchport access vlan 20

switchport mode access

In Router

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

ip access-group 1 out

!

interface FastEthernet0/0.20

no ip address

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip access-group 1 out

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 1 deny 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 deny host 192.168.20.11

access-list 1 permit host 192.168.10.11

access-list 1 deny any

access-list 1 permit any

Im new so i dont know if my setup is correct ...

can any1 help me about this,,,

thanks.

1 REPLY
Purple

Can you help me with this ( vlan,accesslist,management )

Hi,

let's suppose PC0(Vlan 10) wants to communicate with PC1(Vlan 20):

-traffic enters f0/0.10 with src 10.11 and dst 20.11 and it is forwarded out f0/1.20 where there is an egress ACL

-this is a standard ACL so it matches on source only and there is a hit for second entry permit 192.168.10.0 0.0.0.255

-now PC1 replies and traffic enters f0/1.20 and is forwarded out f0/0.10 where there is egress ACL

-there is a hit on first entry  deny 192.168.20.0 0.0.0.255( packet src is 20.11 and dst 10.11)

So end result is that Vlan 10 cannot reach Vlan 20.

I don't think this is what you wanted

Now of course traffic sourced from any PC in Vlan 20 destined to PC0 is filtered as you wanted because  it is filtered on f0/0.10 outbound as above.

ACLs are stateless and communication in TCP/IP is bidirectional so the best way to achieve what you want to do if you want to filter more than Pings would be to use CBAC or ZBF or reflexive ACLs

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
97
Views
0
Helpful
1
Replies
CreatePlease to create content