Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

VLAN to VLAN ACLs

Scotte
Occasional Contributor

VLAN to VLAN ACLs

I'm new to ACLs, so please bear with me. I'm working with some 2610s with 4 VLANs:

VLAN10 - 192.168.10.0/24
VLAN30 - 192.168.30.0/24
VLAN40 - 10.10.10.0/24
VLAN50 - 192.168.50.0/24

As of right now, there are no ACLs, so none of the VLANs have access to any of the others. I now need to allow VLAN10 and VLAN50 access to each other.

I'm going through the documentation, and I thought I had a handle on things, until someone asked how will the ACLs affect internet access.

Internet access is controlled by a gateway, so at the switches, all of the VLANs need to be able to access the internet. Now, I'm thinking instead of only allowing access from one VLAN to the other, I need to allow access from the VLAN to any, then deny the VLANs it shouldn't access. Is that right? I was thinking along these lines:

access-list 101 permit ip 192.168.10.0/24 any
access-list 101 permit ip 192.168.50.0/24 any
access-list 101 permit ip 192.168.30.0/24 any
access-list 101 permit ip 10.10.10.0/24 any
access-list 101 deny ip 192.168.10.0/24 192.168.30.0/24
access-list 101 deny ip 192.168.10.0/24 10.10.10.0/24
access-list 101 deny ip 192.168.50.0/24 192.168.30/24
access-list 101 deny ip 192.168.50.0/24 10.10.10.0/24
access-list 101 deny ip 192.168.30/24 192.168.10.0/24
access-list 101 deny ip 192.168.30/24 192.168.50.0/24
access-list 101 deny ip 192.168.30/24 10.10.10.0/24
access-list 101 deny ip 10.10.10.0/24 192.168.10.0/24
access-list 101 deny ip 10.10.10.0/24 192.168.30.0/24
access-list 101 deny ip 10.10.10.0/24 192.168.50.0/24

Any pointers would be greatly appreciated.