INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Cisco Switch Core Vlans Isolation

Cisco Switch Core Vlans Isolation

(OP)
Hello,


I have a network with three VLans, vlan2 is users, vlan 20 is server, and vlan 21 is public
I want vlan 21 to be isolated, from this vlan it should not be possible to access any device in vlan 2 and vlan20.
I have addeed this access list to the switch but i can still acess the devices from the other vlans but still i can access everything, can someone please point me what is wrong.

ip access-list extended OnlyInternet
permit udp any host 192.168.20.2 eq bootps bootpc domain
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.20.0 0.0.0.255
permit ip any any


interface Vlan21
ip address 192.168.21.251 255.255.255.0
ip access-group OnlyInternet out
ip helper-address 192.168.20.2




RE: Cisco Switch Core Vlans Isolation

Either reverse soutrce and destination on each ACL line or (easier) change "ip access-group OnlyInternet out" to "ip access-group OnlyInternet in".

RE: Cisco Switch Core Vlans Isolation

(OP)
if i change to in, all vlan stop having internet, and even with "in" using the public vlan i was able to access the server vlan. Really dont know what is wrong.

RE: Cisco Switch Core Vlans Isolation

It's been a while since I have used anything access list wise in this fashion, so may be a little rusty .....

ip access-list extended OnlyInternet - Name of access list
permit udp any host 192.168.20.2 eq bootps bootpc domain - Permit UDP from Host 192.168.20.2 that equals the elements described
deny ip any 192.168.2.0 0.0.0.255 - Deny anything from 192.168.2.0 network (IP based)
deny ip any 192.168.20.0 0.0.0.255 - Deny anything from 192.168.20.0 Network (IP based)
permit ip any any - Permit all other traffic

Then you are applying this list to the interface of VLAN 21

I may be wrong here, but the way you have the access list configured is saying "From" the 2 networks, but you are applying it to VLAN21.... those two deny lines, as far as I am aware, but could be wrong, are blocking traffic going out from those networks..... well, those networks don't exist.... only VLAN 21 does where you have applied it....

Surely you want to block traffic from those networks coming in or exiting, not saying they already exist as they don't. And they are basic commands.... for a standard access list, or could be.

Could you not create a standard access list and block traffic from VLAN 21 at the IN interfaces of VLAN 2 and VLAN 20?

Just a thought :)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close