How to Prevent user's in VLAN 10 from Aceessing VLAN 1 but not vice-versa

Hello Experts,

I have created a VLAN 10 on my router and switch. Currently all users in VLAN 10 is able to access VLAN 1.

Is it possible to block VLAN 10 users from accessing VLAN 1 but allow VLAN 1 users to access VLAN 10?

Here is my router VLAN config

interface FastEthernet0/0
 description LAN Interface (VLAN 1)
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address
 ip nat inside
 no cdp enable
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From memory you can specify Access control lists for VLAN's so ive done a google, but i m a bit to tired to make sense of it at the moment so heres one of the links i ve found and i will have another look when i ve had some sleep :)
I have just had another look and found this thread where someone seems to be attempting to do the same as you
With a combination of an ACL and CBAC you should be able to get it working.

You use the ACL to block traffic, however, CBAC adds temporary ACL rules that override your existing ACL in order to allow returning traffic to the originating host.

e.g You have an ACL blocking all traffic from VLAN 10 to VLAN, but a host in VLAN 1 wants to get to VLAN 10. Because of the ACL, the VLAN 10 host will not be able to send the requested data to the host on VLAN 1 because the ACL will drop it. However, if you enable CBAC, when VLAN 1 requests data from VLAN 10, the router will automatically add an ACL line on top of your existing ACL specifying that the VLAN10 host's traffic can go through to the VLAN 1 host, but all other traffic is still blocked.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

u need to use an access-list in combination with "ip inspect"  it shouldn't be to hard to configure.
katredrumAuthor Commented:
can anyone show me the commands i need to enter in order to do this?
This should work.
First statiement denys any traffic form the 10.0 network to the 1.1 network the second cammand allows all other traffic to pass through unfiltered. Then you have to apply the ACL with ip access-group command

access-list 120 deny ip
access-list 120 permit any any

interface fa0/0.10
ip access-group 120 out
The ACL above is a bit incorrect because of the .1 at the end of each of the IPs. You'd need to replace them with 0.

That will block return traffic, so as per my post above, you need CBAC (aka ip inspect) to allow the return traffic through.
katredrumAuthor Commented:
Thanks, I needed a ACL and ip inspect. You guys were right on the point.
Thanks for the points.

If you have any issues with configuring this setup, please take a look at my blog entry here:

It is complete with diagrams and configurations.

If you need any more assistance, or if the blog entry is not clear enough, drop me an e-mail or comment on the blog entry and I will clear it up.

I should have mentioned that my e-mail address is :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.