Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access-list configutation

hi

i have the following configuration:

!

interface FastEthernet0/1

description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***

no ip address

duplex full

speed 100

!

interface FastEthernet0/1.2007

description ***** Connect To MASTER_SHUKEI_ON *****

encapsulation dot1Q 2007

ip address 172.21.2.46 255.255.255.248

!

interface FastEthernet0/1.2008

description ***** Connect To TRAST *****

encapsulation dot1Q 2008

ip address 172.21.2.54 255.255.255.248

!

interface FastEthernet0/1.2009

description ***** Connect To TRAST *****

encapsulation dot1Q 2009

ip address 172.21.2.62 255.255.255.248

!

interface FastEthernet0/1.2010

description ***** Connect To TRAST *****

encapsulation dot1Q 2010

ip address 172.21.2.707 255.255.255.248

!

and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them

thanks

  • Other Security Subjects
3 REPLIES

Re: access-list configutation

Hi,

Create an access-list (ACL) denying the source IP/subnets, and permit others. Apply this ACL to the sub-interface using 'ip access-group' command.

For example, on the FastE0/1.2007, if you need to deny traffic from FastE0/1.2008 & .2009 from coming into FastE0/1.2007, use:

access-list 101 deny ip 172.21.2.48 0.0.0.7 any

access-list 101 deny ip 172.21.2.56 0.0.0.7 any

interface FastEthernet0/1.2008

description ***** Connect To TRAST *****

encapsulation dot1Q 2008

ip address 172.21.2.54 255.255.255.248

ip access-group 10 in ---> apply here

For your interface FastEthernet0/1.2020, I think the IP is invalid - 172.21.2.707 255.255.255.248. Typo error?

Rgds,

AK

Re: access-list configutation

Correction - ACL 101

access-list 101 deny ip 172.21.2.48 0.0.0.7 any

access-list 101 deny ip 172.21.2.56 0.0.0.7 any

interface FastEthernet0/1.2008

description ***** Connect To TRAST *****

encapsulation dot1Q 2008

ip address 172.21.2.54 255.255.255.248

ip access-group 101 in ---> correct acl is 101

Rgds,

AK

New Member

Re: access-list configutation

hi

i know that way , but it's mean i will have a lot of access-lists, a lot of number of access-list.

there is no another way to do it.

thanks

96
Views
0
Helpful
3
Replies
This widget could not be displayed.