edu87
asked on
Setting what network a VLAN can reach
Assuming the following network:
- Lan with vlan 10 (192.168.10.0) - servers vlan
- Lan with vlan 20 (192.168.20.0) - desktops vlan
- Lan with vlan 30 (192.168.30.0) - wireless vlan
I need the following results:
- VLAN 20 and 30 can reach vlan 10 (servers) to be able to use shared files, printers, and all shared things.
- VLANs 20 and 30 can´t see each other (can´t ping and access shared files)
I made a home lab, with my Cisco SG100 layer3 switch, but when I enable the router option, all VLANs can see ping each other, without an option to restrict a specific VLAN.
What I need to do?
- Lan with vlan 10 (192.168.10.0) - servers vlan
- Lan with vlan 20 (192.168.20.0) - desktops vlan
- Lan with vlan 30 (192.168.30.0) - wireless vlan
I need the following results:
- VLAN 20 and 30 can reach vlan 10 (servers) to be able to use shared files, printers, and all shared things.
- VLANs 20 and 30 can´t see each other (can´t ping and access shared files)
I made a home lab, with my Cisco SG100 layer3 switch, but when I enable the router option, all VLANs can see ping each other, without an option to restrict a specific VLAN.
What I need to do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you mikebernhardt,
ACL was the answer!
ACL was the answer!
1. Access lists have an "implicit deny" which means that when you create it, any traffic not specifically permitted will be blocked. that's why you have to have the permit statement at the end (in this case).
2. You create the list and then apply it to the interface. "In" means in toward the router from the LAN and "Out" means out from the router to the LAN. So in this case we are saying that any traffic trying to exit the LAN through the router will be subject to the assigned access list.