Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Isolating VLANS

We have IP Rounting enabled on our Cisco 4948.  External access travels through VLAN 100.  We wish to prevent access to our other two internal VLANs which are VLAN 10 and VLAN 20.  I have attempted to ISOLATE VLAN 10 and VLAN 20 from VLAN 100.  Below is a portion of our configuration and my access-lists.  Will this configuration prevent access to VLAN 10 or VLAN 20 from VLAN 100.

Thank you,

~~~~~~~~~~~~~~~~~~~~~

!

!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Alpha_VLAN
ip address 172.17.20.46 255.255.255.0
ip pim sparse-dense-mode
no ip unreachables
no ip proxy-arp

ip access-group 103 in
no shutdown
!
interface Vlan20
description BETA_VLAN
ip address 192.168.41.254 255.255.255.0
ip pim sparse-dense-mode
no ip unreachables
no ip proxy-arp

ip access-group 104 in
no shutdown
!
interface Vlan100
description DELTA_VLAN
ip address 192.168.50.254 255.255.255.0
no ip unreachables
no ip proxy-arp
no shutdown
!
!
router eigrp 102
no auto-summary
network 10.0.0.0
network 172.17.0.0
network 192.168.41.0
network 192.168.50.0

!

!

!

access-list 103 permit ip host 172.17.20.43 any
access-list 103 deny ip 172.17.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 103 permit ip any any
!

access-list 104 permit ip host 172.17.20.43 any
access-list 104 deny ip 192.168.41.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 104 permit ip any any

!

!

!
ip local policy route-map NO_TRACEROUTE
no ip http server
no ip http secure-server
!
ip pim send-rp-announce Loopback0 scope 3
ip pim send-rp-discovery Loopback0 scope 3
!
ip access-list extended NO_TRACEROUTE
permit icmp any any time-exceeded
permit icmp any any port-unreachable
!
no cdp advertise-v2
no cdp run
!
!
!
control-plane

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Isolating VLANS

Hello,

You do not need "access-list 104 permit ip host 172.17.20.43 any" line. Other than that, it should work.

Regards,

NT

1 REPLY
Cisco Employee

Re: Isolating VLANS

Hello,

You do not need "access-list 104 permit ip host 172.17.20.43 any" line. Other than that, it should work.

Regards,

NT

234
Views
0
Helpful
1
Replies