ACL on different VLAN

chanut69 · ‎12-02-2003

I've got 3 routers connect together in triangle.

A

/ \

B _ C

The router A connect to B using point to point connection but connect to C by VLAN let's say VLAN 2.

The router B connect to C using point to point connection.

The router A has many VLAN, they're all in different IP range.

Let's say, the VLAN 30 (10.0.0.0 network) on router A is very important. I don't want other to be able to contact to this VLAN.

Can I don't apply ACL on this VLAN but apply on other interface like VLAN 2 of router A and say ...

router A#

interface VLAN 2

ip access-group test in

interface VLAN 30

<<no any ACL apply>>

ip access-list extended test

deny ip any 10.0.0.0 0.255.255.255

I think, we cannot do that. We need to apply on the VLAN 30 because the range is fixed on the VLAN ...

Can anyone confirm my thought ?

Thanks,

hbaerten · ‎12-03-2003

If you modify the acl to allow all other traffic (otherwise the implicit deny will block all traffic) I see no reason why it shouldn't work?

ip access-list extended test

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

Depending on what you want exactly, you may have to apply the same acl also on the point-to-point interfaces of router A.

I'm just curious why you would want to do this, since it seems so much easier to just put an acl on interface vlan30 ?

hth

Herbert

chanut69 · ‎12-03-2003

because it's present configuration that i've found ... the 'test' ACL applied on VLAN 2, but never apply on point to point interface.

i'm practising "troble shooting" (^ ^bb)

thank you so much for your help~