Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Switch Core Vlans Isolation

Status
Not open for further replies.
napoleao

napoleao

IS-IT--Management
Feb 20, 2002
172
PT
Hello,


I have a network with three VLans, vlan2 is users, vlan 20 is server, and vlan 21 is public
I want vlan 21 to be isolated, from this vlan it should not be possible to access any device in vlan 2 and vlan20.
I have addeed this access list to the switch but i can still acess the devices from the other vlans but still i can access everything, can someone please point me what is wrong.

ip access-list extended OnlyInternet
permit udp any host 192.168.20.2 eq bootps bootpc domain
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.20.0 0.0.0.255
permit ip any any


interface Vlan21
ip address 192.168.21.251 255.255.255.0
ip access-group OnlyInternet out
ip helper-address 192.168.20.2




 
Sort by date Sort by votes
Either reverse soutrce and destination on each ACL line or (easier) change "ip access-group OnlyInternet out" to "ip access-group OnlyInternet in".
 
Upvote 0 Downvote
if i change to in, all vlan stop having internet, and even with "in" using the public vlan i was able to access the server vlan. Really dont know what is wrong.
 
Upvote 0 Downvote
It's been a while since I have used anything access list wise in this fashion, so may be a little rusty .....

ip access-list extended OnlyInternet - Name of access list
permit udp any host 192.168.20.2 eq bootps bootpc domain - Permit UDP from Host 192.168.20.2 that equals the elements described
deny ip any 192.168.2.0 0.0.0.255 - Deny anything from 192.168.2.0 network (IP based)
deny ip any 192.168.20.0 0.0.0.255 - Deny anything from 192.168.20.0 Network (IP based)
permit ip any any - Permit all other traffic

Then you are applying this list to the interface of VLAN 21

I may be wrong here, but the way you have the access list configured is saying "From" the 2 networks, but you are applying it to VLAN21.... those two deny lines, as far as I am aware, but could be wrong, are blocking traffic going out from those networks..... well, those networks don't exist.... only VLAN 21 does where you have applied it....

Surely you want to block traffic from those networks coming in or exiting, not saying they already exist as they don't. And they are basic commands.... for a standard access list, or could be.

Could you not create a standard access list and block traffic from VLAN 21 at the IN interfaces of VLAN 2 and VLAN 20?

Just a thought :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
236
madwok
madwok
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
247
bdk76
bdk76
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
224
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
237
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
293
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top