Solved: access-list for vlan

harinirina · ‎03-18-2006

Hi,

I'd like to configure 3 vlans .

I want users in vlan100 and vlan200 to connect to users in the vlan300 but prevent vlan100 from accessing vlan200.

All users can connect to the internet.

I tried to configure acl on the router but all users in different vlans can yet ping each other.

I use router 2611 and switch 2950.

Can anybody tell what should be the configuration ?

thanks in advanced.

pkhatri · ‎03-18-2006

Hi,

You need to place the ACLs under the sub-interfaces, not the main interface.

In order to prevent users in VLAN 100 from communicating with users in VLAN 200, do the following:

access-list 101 deny ip any 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip any 192.168.1.0 0.0.0.255

access-list 102 permit ip any any

!

interface FastEthernet0/1.100

ip access-group 101 in

!

interface FastEthernet0/1.200

ip access-group 102 in

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

pkhatri · ‎03-18-2006

It would help if you post your router config that you used so that we can see what the issues with the config are.

Paresh

harinirina · ‎03-18-2006

I tried to deny traffic whose destination is other than 192.168.5.0 0.0.0.255 but vlans could ping each other.

I put deny any any but i still can ping.

pkhatri · ‎03-18-2006

Hi,

You need to place the ACLs under the sub-interfaces, not the main interface.

In order to prevent users in VLAN 100 from communicating with users in VLAN 200, do the following:

access-list 101 deny ip any 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip any 192.168.1.0 0.0.0.255

access-list 102 permit ip any any

!

interface FastEthernet0/1.100

ip access-group 101 in

!

interface FastEthernet0/1.200

ip access-group 102 in

Hope that helps - pls rate the post if it does.

Paresh

harinirina · ‎03-19-2006

Hi Paresh,

Thanks you for the reply, it works now.

I tried one thing, can you help me ?

I haven't used a router for intervlan routing but just a network card which supports 802.1Q.

i connected it to a switch trunk port.

I can't ping the network card.

Is there any configuration to do apart specifying the mode of each port ?

pkhatri · ‎03-19-2006

Howdy,

Have you correctly configured the IP addresses for the appropriate VLANs on the NIC ?

Paresh

harman_nagra · ‎03-19-2006

Not only as Paresh mentions above, if you are using somehting like Broadcom or HP utility to configure vlan for a NIC, note all frames from that host will be "tagged".

If the port on the switch is just an access port, it wont work. You will need to configure the port as trunk port and allow the only user vlan on it... hope it makes sense.

Regards

Harman

harinirina · ‎03-21-2006

Hi,

Thanks both for the reply.I couldn't post yesterday.

I gave 3 ip addresses to the NIC,it's on a trunk port.

192.168.1.1

192.168.2.1

192.168.3.1

and used these addresses as gateway for pcs in an access port

192.168.1.1 for pcs in vlan 100

192.168.2.1 for pcs in vlan 200.

Is there other configuration to do on the NIC and on the switch?

pkhatri · ‎03-21-2006

It's not sufficient to give an IP address to each VLAN on your NIC - you also have to make sure that the box is configured as a router, and not simply as a host. It has to have the capability to do inter-vlan routing.

Hope that helps - pls rate the post if it does.

Paresh

harinirina · ‎03-23-2006

Hi,

I've added vlan on the NIC.It's working now.

Thanks very much for your help

Regards