Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list for vlan

Hi,

I'd like to configure 3 vlans .

I want users in vlan100 and vlan200 to connect to users in the vlan300 but prevent vlan100 from accessing vlan200.

All users can connect to the internet.

I tried to configure acl on the router but all users in different vlans can yet ping each other.

I use router 2611 and switch 2950.

Can anybody tell what should be the configuration ?

thanks in advanced.

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Re: access-list for vlan

Hi,

You need to place the ACLs under the sub-interfaces, not the main interface.

In order to prevent users in VLAN 100 from communicating with users in VLAN 200, do the following:

access-list 101 deny ip any 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip any 192.168.1.0 0.0.0.255

access-list 102 permit ip any any

!

interface FastEthernet0/1.100

ip access-group 101 in

!

interface FastEthernet0/1.200

ip access-group 102 in

Hope that helps - pls rate the post if it does.

Paresh

9 REPLIES
Purple

Re: access-list for vlan

It would help if you post your router config that you used so that we can see what the issues with the config are.

Paresh

New Member

Re: access-list for vlan

I tried to deny traffic whose destination is other than 192.168.5.0 0.0.0.255 but vlans could ping each other.

I put deny any any but i still can ping.

Purple

Re: access-list for vlan

Hi,

You need to place the ACLs under the sub-interfaces, not the main interface.

In order to prevent users in VLAN 100 from communicating with users in VLAN 200, do the following:

access-list 101 deny ip any 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip any 192.168.1.0 0.0.0.255

access-list 102 permit ip any any

!

interface FastEthernet0/1.100

ip access-group 101 in

!

interface FastEthernet0/1.200

ip access-group 102 in

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: access-list for vlan

Hi Paresh,

Thanks you for the reply, it works now.

I tried one thing, can you help me ?

I haven't used a router for intervlan routing but just a network card which supports 802.1Q.

i connected it to a switch trunk port.

I can't ping the network card.

Is there any configuration to do apart specifying the mode of each port ?

Purple

Re: access-list for vlan

Howdy,

Have you correctly configured the IP addresses for the appropriate VLANs on the NIC ?

Paresh

New Member

Re: access-list for vlan

Not only as Paresh mentions above, if you are using somehting like Broadcom or HP utility to configure vlan for a NIC, note all frames from that host will be "tagged".

If the port on the switch is just an access port, it wont work. You will need to configure the port as trunk port and allow the only user vlan on it... hope it makes sense.

Regards

Harman

New Member

Re: access-list for vlan

Hi,

Thanks both for the reply.I couldn't post yesterday.

I gave 3 ip addresses to the NIC,it's on a trunk port.

192.168.1.1

192.168.2.1

192.168.3.1

and used these addresses as gateway for pcs in an access port

192.168.1.1 for pcs in vlan 100

192.168.2.1 for pcs in vlan 200.

Is there other configuration to do on the NIC and on the switch?

Purple

Re: access-list for vlan

It's not sufficient to give an IP address to each VLAN on your NIC - you also have to make sure that the box is configured as a router, and not simply as a host. It has to have the capability to do inter-vlan routing.

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: access-list for vlan

Hi,

I've added vlan on the NIC.It's working now.

Thanks very much for your help

Regards

119
Views
6
Helpful
9
Replies
CreatePlease to create content