Setting what network a VLAN can reach

Assuming the following network:
- Lan with vlan 10 (192.168.10.0) - servers vlan
- Lan with vlan 20 (192.168.20.0) - desktops vlan
- Lan with vlan 30 (192.168.30.0) - wireless vlan

I need the following results:

- VLAN 20 and 30 can reach vlan 10 (servers) to be able to use shared files, printers, and all shared things.
- VLANs 20 and 30 can´t see each other (can´t ping and access shared files)

I made a home lab, with my Cisco SG100 layer3 switch, but when I enable the router option, all VLANs can see ping  each other, without an option to restrict a specific VLAN.

What I need to do?
edu87Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikebernhardtCommented:
You have to create access lists and apply them to the vlans

for example:
access-list 20 deny 192.168.30.0 255.255.255.0
access-list 20 permit any

access-list 30 deny 192.168.20.0 255.255.255.0
access-list 30 permit any

interface vlan 20
 ip access-group 20 in
interface vlan 30
ip access-group 30 in

this will block those 2 vlans from communicating with each other, but allow any other traffic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikebernhardtCommented:
So to educate you a bit:
1. Access lists have an "implicit deny" which means that when you create it, any traffic not specifically permitted will be blocked. that's why you have to have the permit statement at the end (in this case).
2. You create the list and then apply it to the interface. "In" means in toward the router from the LAN and "Out" means out from the router to the LAN. So in this case we are saying that any traffic trying to exit the LAN through the router will be subject to the assigned access list.
0
edu87Author Commented:
Thank you mikebernhardt,

ACL was the answer!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.