intervlan Communication help

srikanth ath · ‎12-12-2011

HI all experts

I was really fed up with this.gave a lot of try on using extended name ACL and Extended Numbered ACL...

HOpe u help me out with this

-ONly two IPs(10.10.30.2(vlan 101) and 10.10.14.2(vlan 99)) should communite to all IPs of vlan 50 and rest all should be denied.

(((*****here is how i want

10.10.30.2 ---------permit--------10.10.18.0/24

10.10.14.2--------permit---------10.10.18.0/24

deny ip any any (rest all should be denied)

****************))))))))))))

HOw to accomplish this/

Switch(config)#do sh ip route

10.0.0.0/24 is subnetted, 3 subnets

C 10.10.14.0 is directly connected, Vlan99

C 10.10.18.0 is directly connected, Vlan50

C 10.10.30.0 is directly connected, Vlan101

Switch(config)#

<cr>

Switch#sh vlan bri

Switch#sh vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5

Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/13, Fa0/14, Fa0/19, Fa0/21

Fa0/22, Fa0/23, Gig0/1, Gig0/2

50 isolatedservers active Fa0/20

99 branch active Fa0/10, Fa0/11, Fa0/12

101 wifi active Fa0/15, Fa0/16, Fa0/17, Fa0/18

where to implicit the acccess-list here & how...at interface vlan 50 ?

Thanks in advance

sreek

power.srvi · ‎12-12-2011

hi,

try this

For the 10.10.30.2---->10.10.18.0/24:

ip access-list extended vlan-101

permit ip host 10.10.30.2 10.10.18.0 0.0.0.255

deny ip 10.10.30.0 0.0.0.255 10.10.18.0 0.0.0.255

permit ip any any ( this line if you want to let the rest of users go to internet )

interface vlan 101

ip acces-group vlan-101 in

For the 10.10.14.12---->10.10.18.0/24:

ip access-list extended vlan-99

permit ip host 10.10.14.12 10.10.18.0 0.0.0.255

deny ip 10.10.14.0 0.0.0.255 10.10.18.0 0.0.0.255

permit ip any any ( this line if you want to let the rest of users go to internet )

interface vlan 99

ip acces-group vlan-99 in

srikanth ath · ‎12-12-2011

Hey thanks a lot SRVI.

i was trying to give an access list under vlan 50 ----to block all vlan ips except two (10.10.30.2 & 10.10.14.2) where in i failed .........

and one more in this way we can only block 1 way traffic is ..

1. where should i aappply access-lists..... If i want vlan 50 shouldnt communicate to other vlans except the two 10.10.30.2 (vlan 101)& 10.10.14.2 (vlan 99) ???

2/ and can you say what exactly happenenning here if give ip access-group vlan-101 out ? though i need acces-group in...just to understand

interface vlan 101

ip acces-group vlan-101 out ?

THanks in advance

power.srvi · ‎12-12-2011

hi

you should applu your access list on the vlan interfaces :

exemple

conf t

your-switch(config)# inerface vlan 101

your-switch(config-if)# ip acces-group vlan-101 in (note: the vlan-101 after the command ip acces group is the name of the acl

if you want vlan 50 stop to communicate with others exept 10.10.30.2 (vlan 101)& 10.10.14.2 (vlan 99)

ip access-list extended vlan-50

permit ip 10.10.18.0 0.0.0.0 host 10.10.30.2

permit ip 10.10.18.0 0.0.0.0 host 10.10.14.2

to apply to an interface

ip interface vlan 50

ip access-group vlan-50 in

about the in and out, if you specify ip access-group xxxx in, it will be aplly the access list to a traffic coming from host to the vlan interface and then nedd to be internally routed or go outside

if you specify out it will be applied on the traffic leaving the interface aigainst the acces list

regards

srikanth ath · ‎12-13-2011

Hi all

i have ca t3750.. lan base image (L3 switch)

by moving 10.10.18.0/24 (isolated servers)to a ***private vlan*** ..can i allow few IPs of other vlan to communicate with the 10.10.18.0/24

(((*****here is how i want

10.10.30.2< <<<<---------permit-------->>>10.10.18.0/24(private vlan)

10.10.14.2<<<--------permit--------->>>>10.10.18.0/24(private vlan)

deny ip any any (rest all should be denied)

****************))))))))))))

Thanks and regards

srikanth