Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Switch Core Vlans Isolation

Status
Not open for further replies.

napoleao

IS-IT--Management
Feb 20, 2002
172
PT
Hello,


I have a network with three VLans, vlan2 is users, vlan 20 is server, and vlan 21 is public
I want vlan 21 to be isolated, from this vlan it should not be possible to access any device in vlan 2 and vlan20.
I have addeed this access list to the switch but i can still acess the devices from the other vlans but still i can access everything, can someone please point me what is wrong.

ip access-list extended OnlyInternet
permit udp any host 192.168.20.2 eq bootps bootpc domain
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.20.0 0.0.0.255
permit ip any any


interface Vlan21
ip address 192.168.21.251 255.255.255.0
ip access-group OnlyInternet out
ip helper-address 192.168.20.2




 
Either reverse soutrce and destination on each ACL line or (easier) change "ip access-group OnlyInternet out" to "ip access-group OnlyInternet in".
 
if i change to in, all vlan stop having internet, and even with "in" using the public vlan i was able to access the server vlan. Really dont know what is wrong.
 
It's been a while since I have used anything access list wise in this fashion, so may be a little rusty .....

ip access-list extended OnlyInternet - Name of access list
permit udp any host 192.168.20.2 eq bootps bootpc domain - Permit UDP from Host 192.168.20.2 that equals the elements described
deny ip any 192.168.2.0 0.0.0.255 - Deny anything from 192.168.2.0 network (IP based)
deny ip any 192.168.20.0 0.0.0.255 - Deny anything from 192.168.20.0 Network (IP based)
permit ip any any - Permit all other traffic

Then you are applying this list to the interface of VLAN 21

I may be wrong here, but the way you have the access list configured is saying "From" the 2 networks, but you are applying it to VLAN21.... those two deny lines, as far as I am aware, but could be wrong, are blocking traffic going out from those networks..... well, those networks don't exist.... only VLAN 21 does where you have applied it....

Surely you want to block traffic from those networks coming in or exiting, not saying they already exist as they don't. And they are basic commands.... for a standard access list, or could be.

Could you not create a standard access list and block traffic from VLAN 21 at the IN interfaces of VLAN 2 and VLAN 20?

Just a thought :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top