11-11-2013 05:38 AM - edited 03-07-2019 04:32 PM
Hi,
I create 3 VLAN in the router. it working well right now.
I have question, how to do access list in order for:-
1.VLAN 300 can;t see VLAN 200 but can see VLAN 100?
below is my config:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1.1
description $ETH-LAN$
encapsulation dot1Q 200
ip address 172.27.100.254 255.255.0.0
ip access-group sdm_fastethernet0/1.2_in in
no snmp trap link-status
!
interface FastEthernet0/1.2
description $ETH-LAN$
encapsulation dot1Q 100 native
ip address 172.7.100.254 255.255.0.0
no snmp trap link-status
!
interface FastEthernet0/1.3
description VLAN for Naraya
encapsulation dot1Q 300
ip address 172.47.100.254 255.255.0.0
no snmp trap link-status
!
interface Serial0/1/0
bandwidth 128
ip address 172.16.1.2 255.255.255.0
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.27.17.100
ip route 172.5.0.0 255.255.0.0 172.16.1.1
!
ip access-list extended sdm_fastethernet0/1.1_in
---> what should i put here
ip access-list extended sdm_fastethernet0/1.2_in
---> what should i put here
ip access-list extended sdm_fastethernet0/1.3_in
---> what should i put here
11-11-2013 06:01 AM
deny ip 172.47.0.0 0.0.255.255 any
permit ip any any
Apply to vlan 200 outgoing direction.
Sent from Cisco Technical Support iPhone App
11-11-2013 10:09 AM
Hi,
ip access-list extended no-vlan200
deny ip 172.147.100.0 0.0.0.255 172.27.100 .0 0.0.0.255
permit ip 172.147.100.0 0.0.0.255 any
int f0/1.3
ip access-group no-vlan200 in
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide