01-04-2009 08:08 PM - edited 03-06-2019 03:14 AM
I have a 3560 and I created two Vlans on it. I created vlan 100 and vlan 110.
This switch is running in layer3 so it will route. I started the DHCP server because we need to enable dhcp.
I created two pools and I called them vlan100 and vlan110
vlan100 I set an IP network of 192.168.1.XXX /24
vlan110 I set 192.168.2.XXX /24
On each vlan interface, I added an address of 192.168.X.1 /24. I added this because I thought that was the only way to get the dhcp server to hand out dhcp to that subnet.
My problem now is, because its a layer3 switch they can route now. They can route to each other.
I removed the default gateway out of the dhcp pulls so the clients do not get a default gateway. But if they add it in, it still works.
The only way to get around this is an access-list?
How do I create it, i want them to get dhcp but not get out to antoher vlan.
Or am I doing this all wrong, and is there another way?
01-04-2009 09:51 PM
>en
#config t
(Config)# ip access-list extended NAME
(config-ext-nacl)#permit ip host 192.168.1.X 192.168.2.XXX 0.0.0.255 (this is to permit the guy to access the other vlan, you can add many permit lines)
(config-ext-nacl)#deny ip any 192.168.2.XXX 0.0.0.255 (this is to deny all other guys to get to the other vlan).
(config-ext-nacl)#exit
config)#int vlan 1
config-if)#ip access-group NAME in (apply the access-list to the traffic coming into the vlan 1 from the vlan 1 users, alternatively this can be applied in the outbound direction on vlan 2 interface. remember that only 1 access-list can be applied to an interface in one particular direction.)
Rate if helpful.
01-05-2009 05:26 AM
Donald
The suggestion by Victor would allow certain traffic between VLAN 100 and 110 and would allow traffic from the local VLAN to outside resources but not to the other VLAN. My understanding of your post is that you do not want anyone in VLAN 100 to communicate with anyone in VLAN 110. If that is correct then you do not need the command:
permit ip host 192.168.1.X 192.168.2.XXX 0.0.0.255
I am not clear from your post whether you want devices in the VLANs to communicate with outside resources or whether you want them to only communicate locally. Perhaps you can clarify this?
HTH
Rick
01-05-2009 06:54 AM
I do not want them to communicate. I added an access list deny icmp any any and deny ip any any.
I think though I just broke the dhcp server
I just enabled udp dhcp on port 67
01-05-2009 08:21 AM
Donald
Yes if you have deny icmp any any and deny ip any any as an inbound access list then you will break DHCP. You would need to permit the UDP ports for DHCP (you could permit any any or you could limit it to permit any host 255.255.255.255 since the DHCP request is a broadcast packet).
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: