05-17-2006 12:55 AM - edited 02-20-2020 09:36 PM
hi
i have the following configuration:
!
interface FastEthernet0/1
description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***
no ip address
duplex full
speed 100
!
interface FastEthernet0/1.2007
description ***** Connect To MASTER_SHUKEI_ON *****
encapsulation dot1Q 2007
ip address 172.21.2.46 255.255.255.248
!
interface FastEthernet0/1.2008
description ***** Connect To TRAST *****
encapsulation dot1Q 2008
ip address 172.21.2.54 255.255.255.248
!
interface FastEthernet0/1.2009
description ***** Connect To TRAST *****
encapsulation dot1Q 2009
ip address 172.21.2.62 255.255.255.248
!
interface FastEthernet0/1.2010
description ***** Connect To TRAST *****
encapsulation dot1Q 2010
ip address 172.21.2.707 255.255.255.248
!
and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them
thanks
05-17-2006 01:57 AM
Hi,
Create an access-list (ACL) denying the source IP/subnets, and permit others. Apply this ACL to the sub-interface using 'ip access-group' command.
For example, on the FastE0/1.2007, if you need to deny traffic from FastE0/1.2008 & .2009 from coming into FastE0/1.2007, use:
access-list 101 deny ip 172.21.2.48 0.0.0.7 any
access-list 101 deny ip 172.21.2.56 0.0.0.7 any
interface FastEthernet0/1.2008
description ***** Connect To TRAST *****
encapsulation dot1Q 2008
ip address 172.21.2.54 255.255.255.248
ip access-group 10 in ---> apply here
For your interface FastEthernet0/1.2020, I think the IP is invalid - 172.21.2.707 255.255.255.248. Typo error?
Rgds,
AK
05-17-2006 01:59 AM
Correction - ACL 101
access-list 101 deny ip 172.21.2.48 0.0.0.7 any
access-list 101 deny ip 172.21.2.56 0.0.0.7 any
interface FastEthernet0/1.2008
description ***** Connect To TRAST *****
encapsulation dot1Q 2008
ip address 172.21.2.54 255.255.255.248
ip access-group 101 in ---> correct acl is 101
Rgds,
AK
05-17-2006 02:33 AM
hi
i know that way , but it's mean i will have a lot of access-lists, a lot of number of access-list.
there is no another way to do it.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide