How to Prevent user's in VLAN 10 from Aceessing VLAN 1 but not vice-versa

Hello Experts,

I have created a VLAN 10 on my router and switch. Currently all users in VLAN 10 is able to access VLAN 1.

Is it possible to block VLAN 10 users from accessing VLAN 1 but allow VLAN 1 users to access VLAN 10?

Here is my router VLAN config

interface FastEthernet0/0
 description LAN Interface (VLAN 1)
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address
 ip nat inside
 no cdp enable
Who is Participating?
OzNetNerdConnect With a Mentor Commented:
With a combination of an ACL and CBAC you should be able to get it working.

You use the ACL to block traffic, however, CBAC adds temporary ACL rules that override your existing ACL in order to allow returning traffic to the originating host.

e.g You have an ACL blocking all traffic from VLAN 10 to VLAN, but a host in VLAN 1 wants to get to VLAN 10. Because of the ACL, the VLAN 10 host will not be able to send the requested data to the host on VLAN 1 because the ACL will drop it. However, if you enable CBAC, when VLAN 1 requests data from VLAN 10, the router will automatically add an ACL line on top of your existing ACL specifying that the VLAN10 host's traffic can go through to the VLAN 1 host, but all other traffic is still blocked.
From memory you can specify Access control lists for VLAN's so ive done a google, but i m a bit to tired to make sense of it at the moment so heres one of the links i ve found and i will have another look when i ve had some sleep :)
I have just had another look and found this thread where someone seems to be attempting to do the same as you
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

sidetrackedConnect With a Mentor Commented:
u need to use an access-list in combination with "ip inspect"  it shouldn't be to hard to configure.
katredrumAuthor Commented:
can anyone show me the commands i need to enter in order to do this?
kcohneConnect With a Mentor Commented:
This should work.
First statiement denys any traffic form the 10.0 network to the 1.1 network the second cammand allows all other traffic to pass through unfiltered. Then you have to apply the ACL with ip access-group command

access-list 120 deny ip
access-list 120 permit any any

interface fa0/0.10
ip access-group 120 out
The ACL above is a bit incorrect because of the .1 at the end of each of the IPs. You'd need to replace them with 0.

That will block return traffic, so as per my post above, you need CBAC (aka ip inspect) to allow the return traffic through.
katredrumAuthor Commented:
Thanks, I needed a ACL and ip inspect. You guys were right on the point.
Thanks for the points.

If you have any issues with configuring this setup, please take a look at my blog entry here:

It is complete with diagrams and configurations.

If you need any more assistance, or if the blog entry is not clear enough, drop me an e-mail or comment on the blog entry and I will clear it up.

I should have mentioned that my e-mail address is :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.