Solved

Intervlan routing and access-lists

Posted on 2007-04-03
3
239 Views
Last Modified: 2010-04-17
Hi experts

have a small problem i need to resovle.

I have 2-3750 (stacked) configured with 4 vlans. The default vlan302 has an ip 192.168.1.2
The other VLANS, 303 and 304 has IP addresses 192.70.20.2 and 192.70.10.2 respectively.  I have a PDC (192.168.1.5)  and an email server (192.168.1.6) connected on the 302 VLAN.
Here is my problem.  I need for all computers, regardless of VLAN to be able to connect to those servers for user authentication and email.
However, workstations on the 304 vlan are not to see any other computers on the 302 vlan.  ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304.

Is this possible?  and what would be the configuration/ access-lists for this configuration?
0
Comment
Question by:hlusher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18846798
You can't have it both ways
 >workstations on the 304 vlan are not to see any other computers on the 302 vlan
>ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304

304 can easily be locked into only seeing the two 302 servers with an acl, but once you do that, then you block all communications with every other workstation on 302 from seeing 304.
Remember that TCP is 2-way communications. You can't block it one way and not the other without breaking it.
Access between subnets should be controlled by AD group policies and not by acls on the switch.
0
 

Author Comment

by:hlusher
ID: 18890343
Is it possible then to have all workstations on the 304 VLan denied access to 1 particular server on the 302 VLAN?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18892963
Sure...
access-list extended vlan304
 deny ip 192.70.10.0 0.0.0.255 host 192.168.1.x
 permit ip any any

interface vlan304
 access-group vlan304 in
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Edge Routers for BGP 6 116
NAT/PAT unable to config correctly 7 68
SSH setup on ASA 5505 17 125
DVR Camera Security System Port Forwading 7 75
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question