I have 5 departments each with it's own vlan and i want some of them to ping some of them, and only want some of them to ping some of them back. Basically creating a hierarchy of vlans.
Concretely, i need
vlan10 to ping all the other vlans
vlan20 to ping all the other vlans
vlan30 to only ping vlan50
vlan40 to only ping vlan30 and vlan 50
vlan50 to ping none (only it's own vlan)
so to let vlan20 ping all the vlans and block vlan30, vlan40, and vlan50 from pinging it back, i did this
ip access-list extended BLOCK_ECHO_REQUEST_TO_VLAN20_IN
remark Block ICMP echo requests to VLAN 20
deny icmp any 172.16.32.0 0.0.31.255 echo
remark Permit all other traffic, including ICMP echo reply
permit ip any any
!
interface FastEthernet0/0.3
description FINANCA VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in
!
interface FastEthernet0/0.4
description ADMIN VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in
!
interface FastEthernet0/0.5
description OTHERS VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in
!
that works, but now if i want to do the same for vlan10 the first one gets cancelled, and i can still ping from vlan30, 40 and 50 to vlan20.
ip access-list extended BLOCK_ECHO_REQUEST_TO_VLAN10_IN
deny icmp any 172.16.0.0 0.0.31.255 echo
permit ip any any
!
interface FastEthernet0/0.3
description FINANCA VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in
!
interface FastEthernet0/0.4
description ADMIN VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in
!
interface FastEthernet0/0.5
description OTHERS VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in
!
Switch Configuration
interface FastEthernet0/1
switchport access vlan 10
!
interface FastEthernet0/2
switchport access vlan 20
!
interface FastEthernet0/3
switchport access vlan 30
!
interface FastEthernet0/4
switchport access vlan 40
!
interface FastEthernet0/5
switchport access vlan 50
!
interface FastEthernet0/6
switchport mode trunk
.
.
.
.
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 0004.9aeb.4a01
ip address 172.16.0.100 255.255.224.0
!
interface Vlan20
mac-address 0004.9aeb.4a02
ip address 172.16.32.100 255.255.224.0
!
interface Vlan30
mac-address 0004.9aeb.4a03
ip address 172.16.64.100 255.255.224.0
!
interface Vlan40
mac-address 0004.9aeb.4a04
ip address 172.16.96.100 255.255.224.0
!
interface Vlan50
mac-address 0004.9aeb.4a05
ip address 172.16.128.100 255.255.224.0
Router Configuration
Router Running Config - interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 172.16.0.50 255.255.224.0
ip access-group 1 in
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 172.16.32.50 255.255.224.0
ip access-group 1 in
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 172.16.64.50 255.255.224.0
!
interface FastEthernet0/0.4
encapsulation dot1Q 40
ip address 172.16.96.50 255.255.224.0
!
interface FastEthernet0/0.5
encapsulation dot1Q 50
ip address 172.16.128.50 255.255.224.0
Best Answer
You can't have more than one access list per direction on an interface. So, to accomplish this, you will have to create a unique access-list for each interface that allows only the traffic you want.