Solved

Intervlan routing and access-lists

Posted on 2007-04-03
3
218 Views
Last Modified: 2010-04-17
Hi experts

have a small problem i need to resovle.

I have 2-3750 (stacked) configured with 4 vlans. The default vlan302 has an ip 192.168.1.2
The other VLANS, 303 and 304 has IP addresses 192.70.20.2 and 192.70.10.2 respectively.  I have a PDC (192.168.1.5)  and an email server (192.168.1.6) connected on the 302 VLAN.
Here is my problem.  I need for all computers, regardless of VLAN to be able to connect to those servers for user authentication and email.
However, workstations on the 304 vlan are not to see any other computers on the 302 vlan.  ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304.

Is this possible?  and what would be the configuration/ access-lists for this configuration?
0
Comment
Question by:hlusher
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18846798
You can't have it both ways
 >workstations on the 304 vlan are not to see any other computers on the 302 vlan
>ALL workstations on the 302 vlan are to have access to all workstations on the 303 and 304

304 can easily be locked into only seeing the two 302 servers with an acl, but once you do that, then you block all communications with every other workstation on 302 from seeing 304.
Remember that TCP is 2-way communications. You can't block it one way and not the other without breaking it.
Access between subnets should be controlled by AD group policies and not by acls on the switch.
0
 

Author Comment

by:hlusher
ID: 18890343
Is it possible then to have all workstations on the 304 VLan denied access to 1 particular server on the 302 VLAN?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18892963
Sure...
access-list extended vlan304
 deny ip 192.70.10.0 0.0.0.255 host 192.168.1.x
 permit ip any any

interface vlan304
 access-group vlan304 in
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question