Scenario
IP: Any VLAN20 (203.20.36.0/24) deny access VLAN10 (203.20.5.0), except host 203.20.5.200
Info
access-list extended name = FROM_VLAN20
VLAN ID = 20
Step
1. Create extended access-list. (I named it FROM_VLAN20)
Router1(config)#ip access-list extended FROM_VLAN20
2. Create 2 access lists under access-list extended VLAN20.
Router1(config-ext-nacl)#10 permit ip any host 203.20.5.200
Router1(config-ext-nacl)#100 deny ip any any
(*the red number is weight)
3. Specify access control for packets on interface VLAN 20.
Router1(config)#interface Vlan 20
Router1(config-if)#ip access-group FROM_VLAN20 in
4. To show inter VLAN's access group.
Router1#sh run
5. To show access list with weight.
Router1#sh acc
No comments:
Post a Comment