We help IT Professionals succeed at work.

ACCESS LIST - CISCO 3560 SWITCH

yostnet
yostnet asked
on
I have 3 vlans /

VLAN 1    (192.168.1.x)
VLAN 50  (192.168.50.x)
VLAN 51  (192.168.51.x)


VLAN 51 is a guest vlan / I would like to craft up an access list that would restrict it to VLAN 50 and VLAN 1 / but allow VLAN 1 to access VLAN 51.

interface Vlan51
 ip access-group 51 in
 
access-list 51 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 51 permit ip any any log


When applying this access list - VLAN 51 is indeed restricted from VLAN 1 and VLAN 50

But VLAN 1 can no longer access VLAN 51 /
Comment
Watch Question

Don JohnstonInstructor
BRONZE EXPERT
Top Expert 2015

Commented:
Except for streaming multicast, traffic is bi-directional. So if you want VLAN 1 to access VLAN 51, then VLAN 51 must be able to access VLAN 1.

Author

Commented:
yikes...

ok ---- no way around that?
Top Expert 2009
Commented:
If primarily TCP connectivity, you can allow return traffic from vlan51 to vlan1 using the established option.  You can also allow return ICMP traffic only if desired.

Add to the top of the access-list:

access-list 51 permit tcp any any established  <--allow return TCP traffic initiated from VLAN1
access-list 51 permit icmp any any echo-reply   <---allow return ICMP traffic
access-list 51 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 51 permit ip any any log

Author

Commented:
thank you!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.