VLAN Security on a 3560 switch

spahlavan · ‎12-26-2007

I am using this switch in my lab for testing. There are no other layer 3 devices in my lab besided this switch. if I go ahead and set up my VLANs, can I still use access lists to allow or deny connectivity between different ports (devices) on different VLANs on this layer3 switch?

Example:

VLAN 1: 192.168.1.1

Device A: 192.168.1.10

VLAN2: 192.168.2.1

Device B: 192.168.2.10

Device C: 192.168.2.11

Device D: 192.168.2.12

How do I restrict access between Device C and Device A? In other words how can I let only Device B in VLAN2 communicate with Device A in VLAN1?

I know how to write the access list but not sure about the exact command. Would it be something like:

Access-list 101 extended permit tcp 192.168.2.10 192.68.1.10

Access-list 101 extended permit ip192.168.2.10 192.68.1.10

Where do I apply the access-group command?

Or should I use a standard access-list?

And since there is an implicit deny at the end of every access-list, all other nodes on VLAN2 will be denied accessing VLAN2, correct?

Thanks for your help.

ankbhasi · ‎12-26-2007

Hi Friend,

Have a look at this link and I hope this will clear your doubts

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12240se/scg/swacl.htm#wp1285654

Please come back if you have any more doubts.

HTH

Ankur

*Pls rate all helpfull post

royalblues · ‎12-26-2007

Configure

access-list 100 permit ip host 192.168.2.10 host 192.168.1.10

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

int vlan 2

ip access-group 100 in

The above access-list will allow device B to talk to only device A and deny all other communications because of the implicit deny at the end

HTH

Narayan