Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Intervlan routing and access-lists

Posted on 2007-04-03
3
Medium Priority
?
252 Views
Last Modified: 2010-04-17
Hi experts

have a small problem i need to resovle.

I have 2-3750 (stacked) configured with 4 vlans. The default vlan302 has an ip 192.168.1.2
The other VLANS, 303 and 304 has IP addresses 192.70.20.2 and 192.70.10.2 respectively.  I have a PDC (192.168.1.5)  and an email server (192.168.1.6) connected on the 302 VLAN.
Here is my problem.  I need for all computers, regardless of VLAN to be able to connect to those servers for user authentication and email.
However, workstations on the 304 vlan are not to see any other computers on the 302 vlan.  ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304.

Is this possible?  and what would be the configuration/ access-lists for this configuration?
0
Comment
Question by:hlusher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18846798
You can't have it both ways
 >workstations on the 304 vlan are not to see any other computers on the 302 vlan
>ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304

304 can easily be locked into only seeing the two 302 servers with an acl, but once you do that, then you block all communications with every other workstation on 302 from seeing 304.
Remember that TCP is 2-way communications. You can't block it one way and not the other without breaking it.
Access between subnets should be controlled by AD group policies and not by acls on the switch.
0
 

Author Comment

by:hlusher
ID: 18890343
Is it possible then to have all workstations on the 304 VLan denied access to 1 particular server on the 302 VLAN?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 18892963
Sure...
access-list extended vlan304
 deny ip 192.70.10.0 0.0.0.255 host 192.168.1.x
 permit ip any any

interface vlan304
 access-group vlan304 in
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question