12-26-2007 08:00 AM - edited 03-03-2019 08:03 PM
I am using this switch in my lab for testing. There are no other layer 3 devices in my lab besided this switch. if I go ahead and set up my VLANs, can I still use access lists to allow or deny connectivity between different ports (devices) on different VLANs on this layer3 switch?
Example:
VLAN 1: 192.168.1.1
Device A: 192.168.1.10
VLAN2: 192.168.2.1
Device B: 192.168.2.10
Device C: 192.168.2.11
Device D: 192.168.2.12
How do I restrict access between Device C and Device A? In other words how can I let only Device B in VLAN2 communicate with Device A in VLAN1?
I know how to write the access list but not sure about the exact command. Would it be something like:
Access-list 101 extended permit tcp 192.168.2.10 192.68.1.10
Access-list 101 extended permit ip192.168.2.10 192.68.1.10
Where do I apply the access-group command?
Or should I use a standard access-list?
And since there is an implicit deny at the end of every access-list, all other nodes on VLAN2 will be denied accessing VLAN2, correct?
Thanks for your help.
12-26-2007 08:06 AM
Hi Friend,
Have a look at this link and I hope this will clear your doubts
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12240se/scg/swacl.htm#wp1285654
Please come back if you have any more doubts.
HTH
Ankur
*Pls rate all helpfull post
12-26-2007 08:07 AM
Configure
access-list 100 permit ip host 192.168.2.10 host 192.168.1.10
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
int vlan 2
ip access-group 100 in
The above access-list will allow device B to talk to only device A and deny all other communications because of the implicit deny at the end
HTH
Narayan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: