Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List Vlan 1

Status
Not open for further replies.

napoleao

IS-IT--Management
Feb 20, 2002
172
PT
Hello,

I have created in our switch core the below access list.

access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 remark --[Allow Guest DNS requests to DNS Server]--
access-list 100 permit udp 192.168.100.0 0.0.0.255 host 192.168.101.2 eq domain
access-list 100 remark [Necessary for DHCP Server to receive Client requests]
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq bootpc
access-list 100 remark --[Deny Guest Access to other VLANs]--
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255 log
access-list 100 remark --[Permit Guest Access to everywhere else -Internet ]--
access-list 100 remark

Then in the Vlan 100 I have:

interface Vlan52
ip address 192.168.100.251 255.255.255.0
ip access-group 100 in
ip helper-address 192.168.101.2

The users that are connected to the Vlan100 they can navigate the internet, and thats fine, the problem, is that, they can still access the other vlans, I have connected to the vlan100 from my ipad, and I can scan all the other vlans. I want the vlan 100 to not be able to scan the other vlans or access the other vlans.
What I am doing wrong?

thank you
 
Is this switch the default gateway for this VLAN (192.168.100.251)?
 
yes,each vlan has switch gw .251

192.168.100.251
192.168.101.251

and so on.
 
You have a permit 192.168.100.0/24 to any at the top of the ACL - its top-down processing so all your traffic entering VLAN 52 will match this and be accepted by the ACL?
 
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

this is matching for pretty much all traffic..

put it after the denys

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
thank you very much. After changing the order is working fine.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top