I have the Vlan configuration similar to this .We have hosted very critical servers in Vlan2 and these servers should be accessible for the users in Vlan2 only not from other Vlan users.I want to create a access list in such a way that , users in other Vlan's should not able to access the severs in Vlan 2.
Do you mean the server in VLAN 2 will be accessed by user in VLAN only ? But at the same time, will there any applicaton to access VLAN 2 server or user ? e.g. backup application. or will user in VLAN 2 to access outside VLAN2 ? e.g. Internet ?
If there is no other application, server to access to VLAN2. Then you can simple to exclude the L3 address for VLAN 2 and the routing table then to leave it as L2 VLAN only.
If only the VLAN 2 server do not allow to be accessed from VLAN other than VLAN 2 then simple remove the default-gateway in server that the server will not able to communicate outside its subnet. i.e. not able to find the next-hop for non-local subnet.
But please ensure that this is what you want or please provide more condition for considersation.
Thanks Jack. I can't have Layer2 Vlan for Vlan2 in 3750 . It has to have the gateway and I can't remove the gateway in the server side also.My requirement is, users in other Vlan's should not able to access (deny) to servers(10.44.2.200, 10.44.2.150) in
As others have pointed out to be able to suggest the correct solution it is important that we understand the real and complete set of requirements. You have said that the requirement is that no one in any other VLAN should access the servers in VLAN 2. You have not told us whether servers are the only devices in VLAN 2 or whether there are some other devices in VLAN 2 which might need access. You have not told us whether there is a requirement for anything outside to be able to access the servers. And you have not told us whether the servers need to access anything outside of VLAN 2 (do they need web access outside, do they need DNS outside, do they need patches from outside, do they need data updates from outside)?
If you can help us understand the full requirements then we can suggest a better solution.
From your general description which sounds like nothing from outside VLAN 2 should access resources inside VLAN 2 you could try something like this:
access-list 150 deny ip any any
interface vlan 2
ip access-group 150 out
That will prevent any traffic from an outside address from being forwarded into vlan 2.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...