Hello!
VLAN 3 hosts should have access only to 192.168.1.71-79 addresses in VLAN 1. What about the rest of communication? I suppose their access to the rest of VLAN 1 and 2 addressing space should be blocked, but what about their Internet connection?
Please, as well share subnets you use for VLAN 2 and 3, so we can help you creating proper ACLs.
You can apply two approaches - filter traffic either coming from VLAN 1 or from VLANs 2 and 3. I find the first option easier as you will need to apply VACL just on VLAN 1.
ip access-list extended "VLAN1-FILTER"
10 permit ip 192.168.1.71 0.0.0.0 192.168.3.0 0.0.0.255
20 permit ip 192.168.1.71 0.0.0.0 192.168.10.0 0.0.0.255
30 permit ip 192.168.1.72 0.0.0.15 192.168.3.0 0.0.0.255
40 permit ip 192.168.1.72 0.0.0.15 192.168.10.0 0.0.0.255
50 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
60 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
Then apply this ACL as VACL on VLAN1:
vlan 1 ip access-group VLAN1-FILTER vlan
But since you didn't answer my question regarding the rest of communication, keep in mind that this ACL will allow 192.168.1.71-79 range to talk only to VLAN2 and VLAN3. All other communications will be blocked. If you need to implement following scheme:
- Allow 192.168.1.71-79 talk to VLAN2 and 3
- Block the rest of VLAN1 addresses communication to VLAN 2 and 3
- Allow other communication
then you need to add at the end of your ACL permitting ACE to overcome implicit deny, so the ACL will look like this:
ip access-list extended "VLAN1-FILTER"
10 permit ip 192.168.1.71 0.0.0.0 192.168.3.0 0.0.0.255
20 permit ip 192.168.1.71 0.0.0.0 192.168.10.0 0.0.0.255
30 permit ip 192.168.1.72 0.0.0.15 192.168.3.0 0.0.0.255
40 permit ip 192.168.1.72 0.0.0.15 192.168.10.0 0.0.0.255
50 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
60 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
100 permit ip any any
Hope this helps!