Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
3
Replies

access-list configutation

amenash123
Level 1
Level 1

‎05-17-2006 12:55 AM - edited ‎02-20-2020 09:36 PM

hi

i have the following configuration:

!

interface FastEthernet0/1

description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***

no ip address

duplex full

speed 100

!

interface FastEthernet0/1.2007

description ***** Connect To MASTER_SHUKEI_ON *****

encapsulation dot1Q 2007

ip address 172.21.2.46 255.255.255.248

!

interface FastEthernet0/1.2008

description ***** Connect To TRAST *****

encapsulation dot1Q 2008

ip address 172.21.2.54 255.255.255.248

!

interface FastEthernet0/1.2009

description ***** Connect To TRAST *****

encapsulation dot1Q 2009

ip address 172.21.2.62 255.255.255.248

!

interface FastEthernet0/1.2010

description ***** Connect To TRAST *****

encapsulation dot1Q 2010

ip address 172.21.2.707 255.255.255.248

!

and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them

thanks

Labels:
0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎05-17-2006 01:57 AM

Hi,

Create an access-list (ACL) denying the source IP/subnets, and permit others. Apply this ACL to the sub-interface using 'ip access-group' command.

For example, on the FastE0/1.2007, if you need to deny traffic from FastE0/1.2008 & .2009 from coming into FastE0/1.2007, use:

access-list 101 deny ip 172.21.2.48 0.0.0.7 any

access-list 101 deny ip 172.21.2.56 0.0.0.7 any

interface FastEthernet0/1.2008

description ***** Connect To TRAST *****

encapsulation dot1Q 2008

ip address 172.21.2.54 255.255.255.248

ip access-group 10 in ---> apply here

For your interface FastEthernet0/1.2020, I think the IP is invalid - 172.21.2.707 255.255.255.248. Typo error?

Rgds,

AK

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-17-2006 01:59 AM

Correction - ACL 101

access-list 101 deny ip 172.21.2.48 0.0.0.7 any

access-list 101 deny ip 172.21.2.56 0.0.0.7 any

interface FastEthernet0/1.2008

description ***** Connect To TRAST *****

encapsulation dot1Q 2008

ip address 172.21.2.54 255.255.255.248

ip access-group 101 in ---> correct acl is 101

Rgds,

AK

0 Helpful

amenash123
Level 1
Level 1
In response to a.kiprawih

‎05-17-2006 02:33 AM

hi

i know that way , but it's mean i will have a lot of access-lists, a lot of number of access-list.

there is no another way to do it.

thanks

0 Helpful
Customers Also Viewed These Support Documents