Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to Blocking Ports on VLAN's???

Status
Not open for further replies.
100mbs

100mbs

MIS
Feb 14, 2002
142
US

I have a CISCO 3550 Layer 3 switching. I have several VLANS setup on it. All of my VLANS are for internal (Same SIte) use. I want to block some of the VLANS from being able to pass port 135 traffic to the other VLANS.

The second thing is I want to be able to block certain IP's from being able to get to certain VLANS as well.


Any help on this would be very helpful.


Thanks in advance,

Chuck..

 
Sort by date Sort by votes
I tried to create an access-list on top of the one that is already there.

I created an Access-list by doing the following:

router>conf t
router(config)#access-list 111 deny ip 10.1.1.100 any
wr mem
exit

****10.1.1.100 is the ip of the PC that I want to block from certain Vlans.


Then I went to configure the VLAN that i dont wan that IP to access.
router>conf t
router(config)#interface vlan 4
router(config-if)#ip access-group 111 in
router(config-if)#ip access-group 111 out
wr mem
exit

After doing this NO one was able to access anything on the network.

Does this seem right at all?

When I entered this info in It was placed below the first line of my original access-list 7 permit any.

100mbs...


(Original Access-List Below)
!
access-list 7 permit any
arp 10.1.1.1 0800.20b0.90b0 ARPA
arp 10.1.1.2 0800.20c0.a000 ARPA
arp 10.1.1.3 0800.2080.8030 ARPA
arp 10.1.1.4 0800.2080.6050 ARPA
 
Upvote 0 Downvote
Unfortunately you have made the typical mistake of remembering that at the end of every access list there is an implicit deny. Basically your access list is set up to deny everything. Not only will it deny the ip address of 10.1.1.100, but it will also block everything else because noting else is permited (ipmlicitedly denied). If you add to your access list: access-list 111 permit any any your users will now be able to access network resources.

 
Upvote 0 Downvote
Thanks for the reply state. So just to clarify what you are saying. I need to create the access-list 111 and then add the access-list comment that you stated below my entry? So it will look like this.

access-list 7 permit any
access-list 111 deny ip 10.1.1.100 any
access-list 111 permit any any
arp 10.1.1.1 0800.20b0.90b0 ARPA
arp 10.1.1.2 0800.20c0.a000 ARPA
arp 10.1.1.3 0800.2080.8030 ARPA
arp 10.1.1.4 0800.2080.6050 ARPA

Thanks again...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
326
CPM86
CPM86
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
566
madwok
madwok
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
216
badwolf1686
B
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
301
testman1
testman1
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
403
Luzbel
Luzbel

Part and Inventory Search

Sponsor

Back
Top