Solved

Intervlan routing and access-lists

Posted on 2007-04-03
3
211 Views
Last Modified: 2010-04-17
Hi experts

have a small problem i need to resovle.

I have 2-3750 (stacked) configured with 4 vlans. The default vlan302 has an ip 192.168.1.2
The other VLANS, 303 and 304 has IP addresses 192.70.20.2 and 192.70.10.2 respectively.  I have a PDC (192.168.1.5)  and an email server (192.168.1.6) connected on the 302 VLAN.
Here is my problem.  I need for all computers, regardless of VLAN to be able to connect to those servers for user authentication and email.
However, workstations on the 304 vlan are not to see any other computers on the 302 vlan.  ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304.

Is this possible?  and what would be the configuration/ access-lists for this configuration?
0
Comment
Question by:hlusher
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18846798
You can't have it both ways
 >workstations on the 304 vlan are not to see any other computers on the 302 vlan
>ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304

304 can easily be locked into only seeing the two 302 servers with an acl, but once you do that, then you block all communications with every other workstation on 302 from seeing 304.
Remember that TCP is 2-way communications. You can't block it one way and not the other without breaking it.
Access between subnets should be controlled by AD group policies and not by acls on the switch.
0
 

Author Comment

by:hlusher
ID: 18890343
Is it possible then to have all workstations on the 304 VLan denied access to 1 particular server on the 302 VLAN?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18892963
Sure...
access-list extended vlan304
 deny ip 192.70.10.0 0.0.0.255 host 192.168.1.x
 permit ip any any

interface vlan304
 access-group vlan304 in
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now