• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1583
  • Last Modified:

ACCESS LIST - CISCO 3560 SWITCH

I have 3 vlans /

VLAN 1    (192.168.1.x)
VLAN 50  (192.168.50.x)
VLAN 51  (192.168.51.x)


VLAN 51 is a guest vlan / I would like to craft up an access list that would restrict it to VLAN 50 and VLAN 1 / but allow VLAN 1 to access VLAN 51.

interface Vlan51
 ip access-group 51 in
 
access-list 51 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 51 permit ip any any log


When applying this access list - VLAN 51 is indeed restricted from VLAN 1 and VLAN 50

But VLAN 1 can no longer access VLAN 51 /
0
yostnet
Asked:
yostnet
  • 2
1 Solution
 
Don JohnstonInstructorCommented:
Except for streaming multicast, traffic is bi-directional. So if you want VLAN 1 to access VLAN 51, then VLAN 51 must be able to access VLAN 1.
0
 
yostnetAuthor Commented:
yikes...

ok ---- no way around that?
0
 
JFrederick29Commented:
If primarily TCP connectivity, you can allow return traffic from vlan51 to vlan1 using the established option.  You can also allow return ICMP traffic only if desired.

Add to the top of the access-list:

access-list 51 permit tcp any any established  <--allow return TCP traffic initiated from VLAN1
access-list 51 permit icmp any any echo-reply   <---allow return ICMP traffic
access-list 51 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 51 permit ip any any log
0
 
yostnetAuthor Commented:
thank you!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now