Corporate APP
Scenarios:
All VLANs (10/20/30) subnets should be allowed to talk with VLAN 100 (Servers) and itself only.
| Allowed to communicate with each other | Not allowed to communicate with each other |
| VLAN 10 ó VLAN100 |
VLAN 10 ïXXð VLAN 20 |
| VLAN 20 ó VLAN100 | VLAN 10 ïXXð VLAN 30 |
| VLAN 30 ó VLAN100 | VLAN 20 ïXXð VLAN 10 |
| VLAN 10 ó VLAN10 | VLAN 20 ïXXð VLAN 30 |
| VLAN 20 ó VLAN20 | |
| VLAN 30 ó VLAN30 |
| Vlan 100(Servers):IP subnet 192.168.100.0/24 |
| Vlan 10:IP subnet 192.168.10.0/24 |
| Vlan 20:IP subnet 192.168.20.0/24 |
| Vlan 30:IP subnet 192.168.30.0/24 |
How can this be configured?
ACL configuration example A:
switch(config)#firewall enable
!
ip access-list extended test
permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip any-source any-destination
switch(config)#interface ethernet 1/0/1-24
switch(config)#ip access-group test in
*************************************************************
ACL configuration example B:
switch(config)#firewall enable
!
ip access-list extended test
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip any-source any-destination
switch(config)#interface ethernet 1/0/1-24
switch(config)#ip access-group test in
