L3 ACL on same subnet

martinbuffleo · ‎05-24-2010

I recently configured a L3 switch that has two VLANs

I applied an access list to VLAN 100 so that on 192.168.1 - .128 were allowed to access the network.

VLAN 101 is the uplink to the Firewall and WWW. This worked fine and an IP address 192.168.1.150 couldn't get access.

I then found that someone had cross patched a network on the 10.0.0.0/24 and the switch was allowing the traffice to pass at Layer 2

Am I right in thinking that ACLs only work when the switch is routing?

The next think I want to do is disable DHCP as its not used on my network and I dont want rouge DHCP servers being able to answer requests on my network.

Giuseppe Larosa · ‎05-24-2010

Hello Martin,

ACLs applied to SVI interfaces (interface vlan x) are used when moving traffic from one broadcast domain to another broadcast domain that is routing or L3 switching.

>>The next think I want to do is disable DHCP as its not used on my network and I dont want rouge DHCP servers being able to answer requests on my network.

you could think of using DHCP snooping for this rogue DHCP servers will cause the port to which they are connected to to be put in error disable, but if you are not using DHCP on your own it can become very laborious to create static entries (port, MAC, IP address) for correct users.

So you need to think carefully about this. it may be too work to do for protecting the network from rogue DHCP servers.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdhcp82.html

Hope to help

Giuseppe