12-12-2011 09:50 AM - edited 03-07-2019 03:51 AM
HI all experts
I was really fed up with this.gave a lot of try on using extended name ACL and Extended Numbered ACL...
HOpe u help me out with this
-ONly two IPs(10.10.30.2(vlan 101) and 10.10.14.2(vlan 99)) should communite to all IPs of vlan 50 and rest all should be denied.
(((*****here is how i want
10.10.30.2 ---------permit--------10.10.18.0/24
10.10.14.2--------permit---------10.10.18.0/24
deny ip any any (rest all should be denied)
****************))))))))))))
HOw to accomplish this/
Switch(config)#do sh ip route
10.0.0.0/24 is subnetted, 3 subnets
C 10.10.14.0 is directly connected, Vlan99
C 10.10.18.0 is directly connected, Vlan50
C 10.10.30.0 is directly connected, Vlan101
Switch(config)#
<cr>
Switch#sh vlan bri
Switch#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/13, Fa0/14, Fa0/19, Fa0/21
Fa0/22, Fa0/23, Gig0/1, Gig0/2
50 isolatedservers active Fa0/20
99 branch active Fa0/10, Fa0/11, Fa0/12
101 wifi active Fa0/15, Fa0/16, Fa0/17, Fa0/18
where to implicit the acccess-list here & how...at interface vlan 50 ?
Thanks in advance
sreek
12-12-2011 10:03 AM
hi,
try this
For the 10.10.30.2---->10.10.18.0/24:
ip access-list extended vlan-101
permit ip host 10.10.30.2 10.10.18.0 0.0.0.255
deny ip 10.10.30.0 0.0.0.255 10.10.18.0 0.0.0.255
permit ip any any ( this line if you want to let the rest of users go to internet )
interface vlan 101
ip acces-group vlan-101 in
For the 10.10.14.12---->10.10.18.0/24:
ip access-list extended vlan-99
permit ip host 10.10.14.12 10.10.18.0 0.0.0.255
deny ip 10.10.14.0 0.0.0.255 10.10.18.0 0.0.0.255
permit ip any any ( this line if you want to let the rest of users go to internet )
interface vlan 99
ip acces-group vlan-99 in
12-12-2011 10:21 AM
Hey thanks a lot SRVI.
i was trying to give an access list under vlan 50 ----to block all vlan ips except two (10.10.30.2 & 10.10.14.2) where in i failed .........
and one more in this way we can only block 1 way traffic is ..
1. where should i aappply access-lists..... If i want vlan 50 shouldnt communicate to other vlans except the two 10.10.30.2 (vlan 101)& 10.10.14.2 (vlan 99) ???
2/ and can you say what exactly happenenning here if give ip access-group vlan-101 out ? though i need acces-group in...just to understand
interface vlan 101
ip acces-group vlan-101 out ?
THanks in advance
12-12-2011 10:31 AM
hi
you should applu your access list on the vlan interfaces :
exemple
conf t
your-switch(config)# inerface vlan 101
your-switch(config-if)# ip acces-group vlan-101 in (note: the vlan-101 after the command ip acces group is the name of the acl
if you want vlan 50 stop to communicate with others exept 10.10.30.2 (vlan 101)& 10.10.14.2 (vlan 99)
ip access-list extended vlan-50
permit ip 10.10.18.0 0.0.0.0 host 10.10.30.2
permit ip 10.10.18.0 0.0.0.0 host 10.10.14.2
to apply to an interface
ip interface vlan 50
ip access-group vlan-50 in
about the in and out, if you specify ip access-group xxxx in, it will be aplly the access list to a traffic coming from host to the vlan interface and then nedd to be internally routed or go outside
if you specify out it will be applied on the traffic leaving the interface aigainst the acces list
regards
12-13-2011 11:14 PM
Hi all
i have ca t3750.. lan base image (L3 switch)
by moving 10.10.18.0/24 (isolated servers)to a ***private vlan*** ..can i allow few IPs of other vlan to communicate with the 10.10.18.0/24
(((*****here is how i want
10.10.30.2< <<<<---------permit-------->>>10.10.18.0/24(private vlan)
10.10.14.2<<<--------permit--------->>>>10.10.18.0/24(private vlan)
deny ip any any (rest all should be denied)
****************))))))))))))
Thanks and regards
srikanth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide