INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Access List Vlan

Access List Vlan

(OP)
Hello,

I have created in our switch core the below access list.

access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 remark --[Allow Guest DNS requests to DNS Server]--
access-list 100 permit udp 192.168.100.0 0.0.0.255 host 192.168.101.2 eq domain
access-list 100 remark [Necessary for DHCP Server to receive Client requests]
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq bootpc
access-list 100 remark --[Deny Guest Access to other VLANs]--
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255 log
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255 log
access-list 100 remark --[Permit Guest Access to everywhere else -Internet ]--
access-list 100 remark

Then in the Vlan 100 I have:

interface Vlan52
ip address 192.168.100.251 255.255.255.0
ip access-group 100 in
ip helper-address 192.168.101.2

The users that are connected to the Vlan100 they can navigate the internet, and thats fine, the problem, is that, they can still access the other vlans, I have connected to the vlan100 from my ipad, and I can scan all the other vlans. I want the vlan 100 to not be able to scan the other vlans or access the other vlans.
What I am doing wrong?

thank you

RE: Access List Vlan

Is this switch the default gateway for this VLAN (192.168.100.251)?

RE: Access List Vlan

(OP)
yes,each vlan has switch gw .251

192.168.100.251
192.168.101.251

and so on.

RE: Access List Vlan

You have a permit 192.168.100.0/24 to any at the top of the ACL - its top-down processing so all your traffic entering VLAN 52 will match this and be accepted by the ACL?

RE: Access List Vlan

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

this is matching for pretty much all traffic..

put it after the denys

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Access List Vlan

(OP)
thank you very much. After changing the order is working fine.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close