From: zhang-meng (meng_zhang@call-center.com.cn)
Date: Sun Dec 14 2003 - 22:05:32 GMT-3
Hi: Group
A problem about access-list,
The scenario
three vlan: vlan 1 (10.1.10.0/24), vlan 2(10.2.20.0/24), vlan 3(10.3.30.
0/24)
1. vlan 1 can't access vlan2, vlan 3
2. vlan 2 can access vlan 1
3. some of hosts in vlan 3 can access vlan 1, vlan 2, vlan3
It seem I can't finish the the task "2".
task "1"
for requirement 1
access-list 101 deny ip 10.1.10.0 0.0.0.255 10.2.20.0 0.0.0.255
access-list 101 deny ip 10.1.10.0 0.0.0.255 10.3.30.0 0.0.0.255
access-list 101 permit ip any any
vlan 1 ip access-group 101 in
vlan 2
ping 10.1.10.100/24
sent packet
source address 10.2.20.200 (vlan 2)
destination address 10.1.10.100 (vlan 1)
response packet
soruce address 10.1.10.100
destintion address 10.2.20.200
Because vlan 1 ip access-group in command
vlan 2 can't receive response packet.
I think "vlan 1 ip access-group in" sentence will be deny traffics
between vlan 2 and vlan 1.
regadless of direction, from vlan 2 to vlan 1 or vlan 1 to vlan 2.
vlan 1 can't access vlan 2, and then vlan 2 can't access vlan 1.
Could you have some suggestion to finish this tasks, or detail
principle description from Cisco web.
Thanks in advance.
Best Regards
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:41 GMT-3