×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACL issue on 3750x

Unanswered Question
Dec 19th, 2013
User Badges:

Hi All,


i have 5 vlan on 3750x switch, (vlan 10,20,30,40,50 )

and i had applied ACL on Switch so that no user can access vlan 30.

All things are working fine but all LAN user can access vlan 30 server ip, but unable to access vlan 30 users.


Please help ...

let me know required things to be configure.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cadet alain Thu, 12/19/2013 - 02:21
User Badges:
  • Purple, 4500 points or more

hi,

Post your config and confirm you want to deny complete access to vlan 30 from other vlans.


Regards


Alain



Don't forget to rate helpful posts.

Jon Marshall Thu, 12/19/2013 - 03:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

What exactly can you reach on vlan 30, you say "server ip" - what do you mean ?


By the way acl 150 is doing nothing.


Jon

Sudhir Gupta Thu, 12/19/2013 - 04:17
User Badges:

in vlan 30 there is 1 server and ip is 172.24.30.5

LAN user can access 1 ip of vlan 30 and that is server ip (172.24.30.5) ...but user cant access any other ip of vlan 30

i dont want that user shuld access that ip also.


and i know vlan 150 is of no use..

Jon Marshall Thu, 12/19/2013 - 04:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

What is the IP address of the LAN user accessing the server IP ?


Jon

Sudhir Gupta Thu, 12/19/2013 - 21:35
User Badges:

Hi,

Below is the config which is correct please solve this one and last 1 was incorrect.

the IP address of the LAN user accessing the server IP (172.24.10.0 255.255.248.0)

the above subnet is able to access that server ip (172.24.30.5) but not able to access the other user of vlan 30.


so i want that none of the lan user should able to access vlan 30 and its server ip.



interface Vlan10

ip address 172.24.1.1 255.255.255.0

ip access-group 101 in

!

interface Vlan20

ip address 172.24.2.1 255.255.255.0

ip access-group 102 in

!

interface Vlan30

ip address 172.24.3.1 255.255.255.0

ip access-group 103 in

ip access-group 150 out

!

interface Vlan40

ip address 172.24.4.1 255.255.255.0

ip access-group 104 in

!

interface Vlan50

ip address 172.24.16.1 255.255.255.192

ip access-group 100 in

!

interface Vlan100

ip address 172.24.10.250 255.255.248.0


***************************************************

access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps

access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc

access-list 100 deny   ip 172.24.16.0 0.0.0.63 172.24.8.0 0.0.7.255

access-list 100 permit ip any any

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.2.0 0.0.0.255

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.3.0 0.0.0.255

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.4.0 0.0.0.255

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.16.0 0.0.0.63

access-list 101 permit ip any any

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.1.0 0.0.0.255

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.3.0 0.0.0.255

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.4.0 0.0.0.255

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.16.0 0.0.0.63

access-list 102 permit ip any any

access-list 103 permit ip host 172.24.3.26 any

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.1.0 0.0.0.255

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.2.0 0.0.0.255

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.4.0 0.0.0.255

access-list 103 deny   ip 172.24.3.0 0.0.0.63 172.24.16.0 0.0.0.63

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255

access-list 103 permit ip any any

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.1.0 0.0.0.255

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.2.0 0.0.0.255

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.3.0 0.0.0.255

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.16.0 0.0.0.63

access-list 104 permit ip any any

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.1.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.2.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.3.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.4.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.10.0 0.0.0.255

access-list 105 permit ip any any

access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps

access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc

access-list 150 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255

access-list 150 permit ip any any

Sudhir Gupta Thu, 12/19/2013 - 23:53
User Badges:

i found 1 issue .. regarding ACL ..Subnet is incorrect.may be this will be the issue.

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255

Jon Marshall Fri, 12/20/2013 - 05:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Your server IP is 172.24.30.5 but vlan 30 uses the address range 172.24.3.0/24 ie. look at the third octet.


Jon

Actions

This Discussion