Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
4
Replies

VLAN issue with Access List

somnath21
Level 1
Level 1

‎10-15-2008 05:06 AM - edited ‎03-06-2019 01:56 AM

Hi,

I have configured one VLAN in my CORE and Access Switches. I want to give limited access to the users under this VLAN.

Users under this VLAN can able to access only 10.138.77.54 and Internet.

Users under this VLAN should not get access of 10.138.74.0 / 10.138.75.0 / 10.138.76.0 /10.138.77.0 (except 10.138.77.54)

We are getting one issue with my current configuration is user under this VLAN get access of all resources under 10.138.77.0 range.

I have attached the configuration.

Please guide me in this issue..

Labels:
Preview file
2 KB
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎10-15-2008 05:24 AM

Your acl inverted masks are wrong, try:-

access-list 119 permit ip 192.168.100.0 0.0.0.15 host 10.138.77.54

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.77.0 0.0.0.255

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.76.0 0.0.0.255

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.75.0 0.0.0.255

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.74.0 0.0.0.255

access-list 119 permit ip any any

HTH>

0 Helpful

Mo'ath Al Rawashdeh
Level 1
Level 1
In response to andrew.prince

‎10-15-2008 05:39 AM

Andrew is right. But if it doesn't work after that, instead of "ip access-group 119 in", try "ip access-group 119 out", since you want this ACL to be applied on outgoing traffic from VLAN 19.

Cheers,

0 Helpful

somnath21
Level 1
Level 1

‎10-15-2008 09:06 AM

Hi,

But my VLAN is under network 192.168.100.16 255.255.255.240

Now if I will configure 192.168.100.0 0.0.0.15 in access list, the range will become 192.168.100.0 to 192.168.100.15 but my network is 192.168.100.16/28.

Please guide..

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to somnath21

‎10-15-2008 09:44 AM

Change your access-list to this

access-list 119 permit ip 192.168.100.16 0.0.0.15 host 10.138.77.54

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.77.0 0.0.0.255

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.76.0 0.0.0.255

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.75.0 0.0.0.255

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.74.0 0.0.0.255

access-list 119 permit ip any any

You are correct in what you say, it should be 192.168.100.16 0.0.0.15. I suspect Andrew was referring to the 10.138.77.x entries and 192.168.100.0 was a typo. ACL's are checked in order so if you permit traffic to 10.138.77.54 in line 1 and then deny all traffic to 10.138.77.0/24 that will work for you.

Also contrary to the other OP's post the acl is applied correctly in your config ie. inbound.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card