Access-List for Multiple VLAN on 3560 Switch
Posted on 2016-10-29
I'm trying to work out the rules/logical for creating an access-list that blocks each vlan from each other apart from the default which is the gateway.
So I have the following:
Default Vlan - 192.168.1.0 with the gateway being 192.168.1.1... thereafter
Vlan10 - 192.168.100.0
Vlan20 - 192.168.101.0
Vlan30 - 192.168.102.0
** All Class C
I would like Vlan 10, 20, 30 to be able to see the default, but I want to block them from seeing each other. At the moment I can ping between vlans.
So as a test, I created an access-list:
access-list 10 deny host 192.168.101.0
and added this to my vlan10 interface:
ip access-group 10 in
My thinking was that this should deny traffic coming in from Vlan20 - 192.168.101.0 but would allow me access to default & Vlan30. (At this point I have to confess that Cisco IOS is clearly not my bag)
However, it didn't work. It seemed to blocked everything - couldn't ping to any other vlans. I tried different combinations with permit/deny but again I had no joy. There is obviously a little more to it. Google came up with lots of info (maybe too much) as my requirements are pretty basic, thought I would ask.
Any help offered would be greatly appreciated