• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1680
  • Last Modified:

ACCESS LIST - CISCO 3560 SWITCH

I have 3 vlans /

VLAN 1    (192.168.1.x)
VLAN 50  (192.168.50.x)
VLAN 51  (192.168.51.x)


VLAN 51 is a guest vlan / I would like to craft up an access list that would restrict it to VLAN 50 and VLAN 1 / but allow VLAN 1 to access VLAN 51.

interface Vlan51
 ip access-group 51 in
 
access-list 51 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 51 permit ip any any log


When applying this access list - VLAN 51 is indeed restricted from VLAN 1 and VLAN 50

But VLAN 1 can no longer access VLAN 51 /
0
yostnet
Asked:
yostnet
  • 2
1 Solution
 
Don JohnstonInstructorCommented:
Except for streaming multicast, traffic is bi-directional. So if you want VLAN 1 to access VLAN 51, then VLAN 51 must be able to access VLAN 1.
0
 
yostnetAuthor Commented:
yikes...

ok ---- no way around that?
0
 
JFrederick29Commented:
If primarily TCP connectivity, you can allow return traffic from vlan51 to vlan1 using the established option.  You can also allow return ICMP traffic only if desired.

Add to the top of the access-list:

access-list 51 permit tcp any any established  <--allow return TCP traffic initiated from VLAN1
access-list 51 permit icmp any any echo-reply   <---allow return ICMP traffic
access-list 51 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 51 permit ip any any log
0
 
yostnetAuthor Commented:
thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now