Access List

[ram]

Hi,

I have 4 number no of vlans i.e 210,220,230,240 in my core
For internet access in my core switch i wrote default static to firewall
i have created vrrp in my core switch for each vlan.

Servers and some users in 210 vlan
220 vlan is for voice
230 vlan is for xyz
240 vlan is for electric.


I want to block the 240 vlans should not communicate with 210,220,230 but my challenge his dhcp server his in 210 vlan so i need to allow the 240 vlan for dhcp accessv for giving ip address to 240 vlan users and wan access.

Please tell me what is the command for this access list .

Regards,
Ram.

[ram]

Hi guys,

Please help me on this.

[one6f]

I would suggest that you begin with easy to set up using policy network groups and ip rules such as

Code: Select all

policy network group vlan240  10.10.240.0 mask 255.255.255.0 
policy network group vlan210  10.10.210.0 mask 255.255.255.0

policy condition vlan240_vlan210 source network group vlan240 destination network group vlan210
policy condition vlan210_vlan240 source network group vlan210 destination network group vlan240
policy condition vlan240_dhcp source network group vlan240 destination ip 10.10.210.100
policy condition dhcp_vlan240 source ip 10.10.210.100 destination network group vlan240

policy action deny disposition deny
policy action permit

policy rule vlan240_dhcp condition vlan240_dhcp action permit log
policy rule dhcp_vlan240 condition dhcp_vlan240 action permit log
policy rule vlan240_vlan210 condition vlan240_vlan210 action deny log
policy rule vlan210_vlan240 condition vlan210_vlan240 action deny log

qos enable
qos apply

[ram]

Hi one6f,

Thanks A lot for sharing the commands for access list. you mentioned this ip address 10.10.210.100 i think you mentioned this ip address for my dhcp server am i right...?

regards,
Ram

[one6f]

yes, is just one example

[sokocul_123]

bro why i still can ping to interface vlan ? i've did configure like that. i test detail tomorrow to test end point to endpoint.