12-19-2013 02:00 AM - edited 03-07-2019 05:09 PM
Hi All,
i have 5 vlan on 3750x switch, (vlan 10,20,30,40,50 )
and i had applied ACL on Switch so that no user can access vlan 30.
All things are working fine but all LAN user can access vlan 30 server ip, but unable to access vlan 30 users.
Please help ...
let me know required things to be configure.
12-19-2013 02:21 AM
hi,
Post your config and confirm you want to deny complete access to vlan 30 from other vlans.
Regards
Alain
Don't forget to rate helpful posts.
12-19-2013 03:48 AM
What exactly can you reach on vlan 30, you say "server ip" - what do you mean ?
By the way acl 150 is doing nothing.
Jon
12-19-2013 04:17 AM
in vlan 30 there is 1 server and ip is 172.24.30.5
LAN user can access 1 ip of vlan 30 and that is server ip (172.24.30.5) ...but user cant access any other ip of vlan 30
i dont want that user shuld access that ip also.
and i know vlan 150 is of no use..
12-19-2013 04:19 AM
What is the IP address of the LAN user accessing the server IP ?
Jon
12-19-2013 09:35 PM
Hi,
Below is the config which is correct please solve this one and last 1 was incorrect.
the IP address of the LAN user accessing the server IP (172.24.10.0 255.255.248.0)
the above subnet is able to access that server ip (172.24.30.5) but not able to access the other user of vlan 30.
so i want that none of the lan user should able to access vlan 30 and its server ip.
interface Vlan10
ip address 172.24.1.1 255.255.255.0
ip access-group 101 in
!
interface Vlan20
ip address 172.24.2.1 255.255.255.0
ip access-group 102 in
!
interface Vlan30
ip address 172.24.3.1 255.255.255.0
ip access-group 103 in
ip access-group 150 out
!
interface Vlan40
ip address 172.24.4.1 255.255.255.0
ip access-group 104 in
!
interface Vlan50
ip address 172.24.16.1 255.255.255.192
ip access-group 100 in
!
interface Vlan100
ip address 172.24.10.250 255.255.248.0
***************************************************
access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps
access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc
access-list 100 deny ip 172.24.16.0 0.0.0.63 172.24.8.0 0.0.7.255
access-list 100 permit ip any any
access-list 101 deny ip 172.24.1.0 0.0.0.255 172.24.2.0 0.0.0.255
access-list 101 deny ip 172.24.1.0 0.0.0.255 172.24.3.0 0.0.0.255
access-list 101 deny ip 172.24.1.0 0.0.0.255 172.24.4.0 0.0.0.255
access-list 101 deny ip 172.24.1.0 0.0.0.255 172.24.16.0 0.0.0.63
access-list 101 permit ip any any
access-list 102 deny ip 172.24.2.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 102 deny ip 172.24.2.0 0.0.0.255 172.24.3.0 0.0.0.255
access-list 102 deny ip 172.24.2.0 0.0.0.255 172.24.4.0 0.0.0.255
access-list 102 deny ip 172.24.2.0 0.0.0.255 172.24.16.0 0.0.0.63
access-list 102 permit ip any any
access-list 103 permit ip host 172.24.3.26 any
access-list 103 deny ip 172.24.3.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 103 deny ip 172.24.3.0 0.0.0.255 172.24.2.0 0.0.0.255
access-list 103 deny ip 172.24.3.0 0.0.0.255 172.24.4.0 0.0.0.255
access-list 103 deny ip 172.24.3.0 0.0.0.63 172.24.16.0 0.0.0.63
access-list 103 deny ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 deny ip 172.24.4.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 104 deny ip 172.24.4.0 0.0.0.255 172.24.2.0 0.0.0.255
access-list 104 deny ip 172.24.4.0 0.0.0.255 172.24.3.0 0.0.0.255
access-list 104 deny ip 172.24.4.0 0.0.0.255 172.24.16.0 0.0.0.63
access-list 104 permit ip any any
access-list 105 deny ip 172.24.16.0 0.0.0.63 172.24.1.0 0.0.0.255
access-list 105 deny ip 172.24.16.0 0.0.0.63 172.24.2.0 0.0.0.255
access-list 105 deny ip 172.24.16.0 0.0.0.63 172.24.3.0 0.0.0.255
access-list 105 deny ip 172.24.16.0 0.0.0.63 172.24.4.0 0.0.0.255
access-list 105 deny ip 172.24.16.0 0.0.0.63 172.24.10.0 0.0.0.255
access-list 105 permit ip any any
access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps
access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc
access-list 150 deny ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255
access-list 150 permit ip any any
12-19-2013 11:53 PM
i found 1 issue .. regarding ACL ..Subnet is incorrect.may be this will be the issue.
access-list 103 deny ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255
12-20-2013 05:48 AM
Your server IP is 172.24.30.5 but vlan 30 uses the address range 172.24.3.0/24 ie. look at the third octet.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide