10-15-2008 05:06 AM - edited 03-06-2019 01:56 AM
Hi,
I have configured one VLAN in my CORE and Access Switches. I want to give limited access to the users under this VLAN.
Users under this VLAN can able to access only 10.138.77.54 and Internet.
Users under this VLAN should not get access of 10.138.74.0 / 10.138.75.0 / 10.138.76.0 /10.138.77.0 (except 10.138.77.54)
We are getting one issue with my current configuration is user under this VLAN get access of all resources under 10.138.77.0 range.
I have attached the configuration.
Please guide me in this issue..
10-15-2008 05:24 AM
Your acl inverted masks are wrong, try:-
access-list 119 permit ip 192.168.100.0 0.0.0.15 host 10.138.77.54
access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.77.0 0.0.0.255
access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.76.0 0.0.0.255
access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.75.0 0.0.0.255
access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.74.0 0.0.0.255
access-list 119 permit ip any any
HTH>
10-15-2008 05:39 AM
Andrew is right. But if it doesn't work after that, instead of "ip access-group 119 in", try "ip access-group 119 out", since you want this ACL to be applied on outgoing traffic from VLAN 19.
Cheers,
10-15-2008 09:06 AM
Hi,
But my VLAN is under network 192.168.100.16 255.255.255.240
Now if I will configure 192.168.100.0 0.0.0.15 in access list, the range will become 192.168.100.0 to 192.168.100.15 but my network is 192.168.100.16/28.
Please guide..
10-15-2008 09:44 AM
Change your access-list to this
access-list 119 permit ip 192.168.100.16 0.0.0.15 host 10.138.77.54
access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.77.0 0.0.0.255
access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.76.0 0.0.0.255
access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.75.0 0.0.0.255
access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.74.0 0.0.0.255
access-list 119 permit ip any any
You are correct in what you say, it should be 192.168.100.16 0.0.0.15. I suspect Andrew was referring to the 10.138.77.x entries and 192.168.100.0 was a typo. ACL's are checked in order so if you permit traffic to 10.138.77.54 in line 1 and then deny all traffic to 10.138.77.0/24 that will work for you.
Also contrary to the other OP's post the acl is applied correctly in your config ie. inbound.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide