=== Scenario ===
Layer 3 Switch with 4 VLANs:
Vlan 10 : 192.168.10.254/24
Vlan 20 : 192.168.20.254/24
Vlan 30: 192.168.30.254/24
Vlan 40: 192.168.40.254/24
By default, inter vlan routing is enable in the L3 Switch.
Right now, administrator do not want:
VLAN 10 to communicate to VLAN 20 and vice versa
VLAN 30 to communicate to VLAN 40 and vice versa
Port 1-4 ==> VLAN 10, Port 5-8 ==> VLAN20,
Port 9-12 ==> VLAN 30, Port 13- ==> VLAN40
=== Command ===
Prerequisite: Create VLANs, IP address assignment, VLAN assignment
Console#config
Console(config)#access-list ip extended no10to20
Console(config-ext-acl)#deny any 192.168.20.0 255.255.255.0
Console(config-ext-acl)#exit
Console(config)#access-list ip extended no30to40
Console(config-ext-acl)#deny any 192.168.40.0 255.255.255.0
Console(config-ext-acl)#end
Console#
Console#conf
Console(config)#int ethernet 1/1-4
Console(config-if-e1/1-5)#ip access-group no10to20 in
Console(config-if-e1/1-5)#exit
Console(config)#interface ethernet 1/9-12
Console(config-if-e1/11-15)#ip access-group no30to40 in
Console(config-if-e1/11-15)#end
Console#
** This type of scenario recommend to use extended ACL over standard ACL
** IP access-group in must think from the view of port.
Exp: Computer 1 connect to Port 1. Computer 2 connect to Port 2.
When packet from computer 1 send to computer 2, for port 1 consider is IN direction
and for port 2 is OUT direction
== Finish ==
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.