Solved

Intervlan routing and access-lists

Posted on 2007-04-03
3
248 Views
Last Modified: 2010-04-17
Hi experts

have a small problem i need to resovle.

I have 2-3750 (stacked) configured with 4 vlans. The default vlan302 has an ip 192.168.1.2
The other VLANS, 303 and 304 has IP addresses 192.70.20.2 and 192.70.10.2 respectively.  I have a PDC (192.168.1.5)  and an email server (192.168.1.6) connected on the 302 VLAN.
Here is my problem.  I need for all computers, regardless of VLAN to be able to connect to those servers for user authentication and email.
However, workstations on the 304 vlan are not to see any other computers on the 302 vlan.  ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304.

Is this possible?  and what would be the configuration/ access-lists for this configuration?
0
Comment
Question by:hlusher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18846798
You can't have it both ways
 >workstations on the 304 vlan are not to see any other computers on the 302 vlan
>ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304

304 can easily be locked into only seeing the two 302 servers with an acl, but once you do that, then you block all communications with every other workstation on 302 from seeing 304.
Remember that TCP is 2-way communications. You can't block it one way and not the other without breaking it.
Access between subnets should be controlled by AD group policies and not by acls on the switch.
0
 

Author Comment

by:hlusher
ID: 18890343
Is it possible then to have all workstations on the 304 VLan denied access to 1 particular server on the 302 VLAN?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18892963
Sure...
access-list extended vlan304
 deny ip 192.70.10.0 0.0.0.255 host 192.168.1.x
 permit ip any any

interface vlan304
 access-group vlan304 in
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month7 days, 23 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question