Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List Vlan 1

Status
Not open for further replies.
napoleao

napoleao

IS-IT--Management
Feb 20, 2002
172
PT
Hello,

I have created in our switch core the below access list.

access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 remark --[Allow Guest DNS requests to DNS Server]--
access-list 100 permit udp 192.168.100.0 0.0.0.255 host 192.168.101.2 eq domain
access-list 100 remark [Necessary for DHCP Server to receive Client requests]
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq bootpc
access-list 100 remark --[Deny Guest Access to other VLANs]--
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255 log
access-list 100 remark --[Permit Guest Access to everywhere else -Internet ]--
access-list 100 remark

Then in the Vlan 100 I have:

interface Vlan52
ip address 192.168.100.251 255.255.255.0
ip access-group 100 in
ip helper-address 192.168.101.2

The users that are connected to the Vlan100 they can navigate the internet, and thats fine, the problem, is that, they can still access the other vlans, I have connected to the vlan100 from my ipad, and I can scan all the other vlans. I want the vlan 100 to not be able to scan the other vlans or access the other vlans.
What I am doing wrong?

thank you
 
Sort by date Sort by votes
Is this switch the default gateway for this VLAN (192.168.100.251)?
 
Upvote 0 Downvote
yes,each vlan has switch gw .251

192.168.100.251
192.168.101.251

and so on.
 
Upvote 0 Downvote
You have a permit 192.168.100.0/24 to any at the top of the ACL - its top-down processing so all your traffic entering VLAN 52 will match this and be accepted by the ACL?
 
Upvote 0 Downvote
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

this is matching for pretty much all traffic..

put it after the denys

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Upvote 0 Downvote
thank you very much. After changing the order is working fine.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cheikhdtn
  • Locked
  • Question
VLAN
Replies
3
Views
85
iggsterman
iggsterman
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
85
dmourghen
dmourghen
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
292
CDIV
CDIV
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
473
iggsterman
iggsterman
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
71
mikey789
mikey789

Part and Inventory Search

Sponsor

Back
Top