VLAN Security Configuration/ACL 500 Pts.

I have a VLAN built for the security cameras in my school, VLAN 100.  I also have a VLAN for all the student use computers, VLAN 200.  I would like to build a rule that denies all VLAN 200 computers access to VLAN 100.  I would also like to allow specific ports from other VLANs access to the camera VLAN (Superintendent, principals, etc.)  I have heard this can be accomplished through the use of ACL's but need an example.  Let me know if I am missing any pertinent information.
cantoneeAsked:
Who is Participating?
 
Don JohnstonConnect With a Mentor InstructorCommented:
No, the commands are entered as shown.

"ip access-group 1 out" applies access-list 1 outbound on the VLAN 100 interface. Any traffic exiting that interface is subject to the statements in that access-list.
0
 
Don JohnstonInstructorCommented:
This assumes VLAN 200 IP addresses are 192.168.200.0/24 and that the allowed devices are 192.168.300.7 and 8.


access-list 1 deny 192.168.200.0 0.0.0.255
access-list 1 permit host 192.168.300.7
access-list 1 permit host 192.168.300.8
int vlan 100
 ip access-group 1 out

Open in new window

0
 
cantoneeAuthor Commented:
This is all configured on the VLAN "server"
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Don JohnstonInstructorCommented:
What do you mean by "VLAN server"?
0
 
cantoneeAuthor Commented:
So, if I build this on the switch I configure all my VLAN's on, it will push the updated information out to the rest of them via the trunking/VTP?  Thanks
0
 
Don JohnstonInstructorCommented:
No.

This ACL is being applied to the layer 3 interface on the switch(es) that are routing the traffic between the VLANs. If you have more than one multilayer switch that is routing between VLANs, you will have to configure all of those switches.
0
 
cantoneeAuthor Commented:
Okay, I see.  On your suggested config, are you  saying that the full command on step 4 will be:
access-list 1 permit int vlan 100?   I understand the rest except for the " ip access-group 1 out  What does this refer to?  Thanks for your help.  I was recently thrown into the VLAN world with the adoption of a Cisco Wireless Controller!
0
 
cantoneeAuthor Commented:
Thanks a million or 500 anyway
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.