how to use ACL to control VLAN traffic ?

dannan lin · ‎11-18-2011

hi:

i have a question here.

how do i use ACl to limit access between different vlans.

from above picture, there are two vlans - vlan 10 and vlan 20, both are connected to a router via a switch. their addresses are assigned by dhcp.

so far vlan 10 and vlan 20 can ping each other.

1. what if i do not want pc from vlan 10 to access pc from vlan 20

2. while vlan 20 can access vlan 10

3. and remain dhcp function.

assuming pc1 from vlan 10 is 1.1.1.1

and pc2 from vlan 20 is 2.2.2.2

please help.

thanks in advance

johnlloyd_13 · ‎11-18-2011

hi dannan,

Router#sh ip int bri

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES unset up up

FastEthernet0/0.10 1.1.1.254 YES manual up up

FastEthernet0/0.20 2.2.2.254 YES manual up up

FastEthernet0/1 unassigned YES unset administratively down down

Vlan1 unassigned YES unset administratively down down

Router(config)#access-list 1 deny 1.1.1.0 0.0.0.255

Router(config)#access-list 1 permit any

Router(config)#int f0/0.10

Router(config-subif)#ip access-group 1 out

dannan lin · ‎11-19-2011

thanks, it worked .

i know what you did is to limit any outgoing traffic .

Router(config)#int f0/0.10

Router(config-subif)#ip access-group 1 out

but i want to know why i can't use

Router(config)#access-list 1 deny 2.2.2.0 0.0.0.255

Router(config)#access-list 1 permit any

Router(config)#int f0/0.10

Router(config-subif)#ip access-group 1 in

if i want to block incoming traffic from 2.2.2.254

thanks