We help IT Professionals succeed at work.

Setting what network a VLAN can reach

edu87 asked
Assuming the following network:
- Lan with vlan 10 ( - servers vlan
- Lan with vlan 20 ( - desktops vlan
- Lan with vlan 30 ( - wireless vlan

I need the following results:

- VLAN 20 and 30 can reach vlan 10 (servers) to be able to use shared files, printers, and all shared things.
- VLANs 20 and 30 can´t see each other (can´t ping and access shared files)

I made a home lab, with my Cisco SG100 layer3 switch, but when I enable the router option, all VLANs can see ping  each other, without an option to restrict a specific VLAN.

What I need to do?
Watch Question

Top Expert 2004
You have to create access lists and apply them to the vlans

for example:
access-list 20 deny
access-list 20 permit any

access-list 30 deny
access-list 30 permit any

interface vlan 20
 ip access-group 20 in
interface vlan 30
ip access-group 30 in

this will block those 2 vlans from communicating with each other, but allow any other traffic.
Top Expert 2004

So to educate you a bit:
1. Access lists have an "implicit deny" which means that when you create it, any traffic not specifically permitted will be blocked. that's why you have to have the permit statement at the end (in this case).
2. You create the list and then apply it to the interface. "In" means in toward the router from the LAN and "Out" means out from the router to the LAN. So in this case we are saying that any traffic trying to exit the LAN through the router will be subject to the assigned access list.


Thank you mikebernhardt,

ACL was the answer!