Setting what network a VLAN can reach

Assuming the following network:
- Lan with vlan 10 (192.168.10.0) - servers vlan
- Lan with vlan 20 (192.168.20.0) - desktops vlan
- Lan with vlan 30 (192.168.30.0) - wireless vlan

I need the following results:

- VLAN 20 and 30 can reach vlan 10 (servers) to be able to use shared files, printers, and all shared things.
- VLANs 20 and 30 can´t see each other (can´t ping and access shared files)

I made a home lab, with my Cisco SG100 layer3 switch, but when I enable the router option, all VLANs can see ping  each other, without an option to restrict a specific VLAN.

What I need to do?
edu87Asked:
Who is Participating?
 
mikebernhardtCommented:
You have to create access lists and apply them to the vlans

for example:
access-list 20 deny 192.168.30.0 255.255.255.0
access-list 20 permit any

access-list 30 deny 192.168.20.0 255.255.255.0
access-list 30 permit any

interface vlan 20
 ip access-group 20 in
interface vlan 30
ip access-group 30 in

this will block those 2 vlans from communicating with each other, but allow any other traffic.
0
 
mikebernhardtCommented:
So to educate you a bit:
1. Access lists have an "implicit deny" which means that when you create it, any traffic not specifically permitted will be blocked. that's why you have to have the permit statement at the end (in this case).
2. You create the list and then apply it to the interface. "In" means in toward the router from the LAN and "Out" means out from the router to the LAN. So in this case we are saying that any traffic trying to exit the LAN through the router will be subject to the assigned access list.
0
 
edu87Author Commented:
Thank you mikebernhardt,

ACL was the answer!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.