11-11-2013 05:38 AM - edited 03-07-2019 04:32 PM
Hi,
I create 3 VLAN in the router. it working well right now.
I have question, how to do access list in order for:-
1.VLAN 300 can;t see VLAN 200 but can see VLAN 100?
below is my config:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1.1
description $ETH-LAN$
encapsulation dot1Q 200
ip address 172.27.100.254 255.255.0.0
ip access-group sdm_fastethernet0/1.2_in in
no snmp trap link-status
!
interface FastEthernet0/1.2
description $ETH-LAN$
encapsulation dot1Q 100 native
ip address 172.7.100.254 255.255.0.0
no snmp trap link-status
!
interface FastEthernet0/1.3
description VLAN for Naraya
encapsulation dot1Q 300
ip address 172.47.100.254 255.255.0.0
no snmp trap link-status
!
interface Serial0/1/0
bandwidth 128
ip address 172.16.1.2 255.255.255.0
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.27.17.100
ip route 172.5.0.0 255.255.0.0 172.16.1.1
!
ip access-list extended sdm_fastethernet0/1.1_in
---> what should i put here
ip access-list extended sdm_fastethernet0/1.2_in
---> what should i put here
ip access-list extended sdm_fastethernet0/1.3_in
---> what should i put here
11-11-2013 06:01 AM
deny ip 172.47.0.0 0.0.255.255 any
permit ip any any
Apply to vlan 200 outgoing direction.
Sent from Cisco Technical Support iPhone App
11-11-2013 10:09 AM
Hi,
ip access-list extended no-vlan200
deny ip 172.147.100.0 0.0.0.255 172.27.100 .0 0.0.0.255
permit ip 172.147.100.0 0.0.0.255 any
int f0/1.3
ip access-group no-vlan200 in
Regards
Alain
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: