cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
0
Helpful
7
Replies

ACL issue on 3750x

Sudhir Gupta
Level 1
Level 1

Hi All,

i have 5 vlan on 3750x switch, (vlan 10,20,30,40,50 )

and i had applied ACL on Switch so that no user can access vlan 30.

All things are working fine but all LAN user can access vlan 30 server ip, but unable to access vlan 30 users.

Please help ...

let me know required things to be configure.

7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

hi,

Post your config and confirm you want to deny complete access to vlan 30 from other vlans.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

What exactly can you reach on vlan 30, you say "server ip" - what do you mean ?

By the way acl 150 is doing nothing.

Jon

in vlan 30 there is 1 server and ip is 172.24.30.5

LAN user can access 1 ip of vlan 30 and that is server ip (172.24.30.5) ...but user cant access any other ip of vlan 30

i dont want that user shuld access that ip also.

and i know vlan 150 is of no use..

What is the IP address of the LAN user accessing the server IP ?

Jon

Hi,

Below is the config which is correct please solve this one and last 1 was incorrect.

the IP address of the LAN user accessing the server IP (172.24.10.0 255.255.248.0)

the above subnet is able to access that server ip (172.24.30.5) but not able to access the other user of vlan 30.

so i want that none of the lan user should able to access vlan 30 and its server ip.

interface Vlan10

ip address 172.24.1.1 255.255.255.0

ip access-group 101 in

!

interface Vlan20

ip address 172.24.2.1 255.255.255.0

ip access-group 102 in

!

interface Vlan30

ip address 172.24.3.1 255.255.255.0

ip access-group 103 in

ip access-group 150 out

!

interface Vlan40

ip address 172.24.4.1 255.255.255.0

ip access-group 104 in

!

interface Vlan50

ip address 172.24.16.1 255.255.255.192

ip access-group 100 in

!

interface Vlan100

ip address 172.24.10.250 255.255.248.0

***************************************************

access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps

access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc

access-list 100 deny   ip 172.24.16.0 0.0.0.63 172.24.8.0 0.0.7.255

access-list 100 permit ip any any

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.2.0 0.0.0.255

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.3.0 0.0.0.255

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.4.0 0.0.0.255

access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.16.0 0.0.0.63

access-list 101 permit ip any any

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.1.0 0.0.0.255

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.3.0 0.0.0.255

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.4.0 0.0.0.255

access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.16.0 0.0.0.63

access-list 102 permit ip any any

access-list 103 permit ip host 172.24.3.26 any

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.1.0 0.0.0.255

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.2.0 0.0.0.255

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.4.0 0.0.0.255

access-list 103 deny   ip 172.24.3.0 0.0.0.63 172.24.16.0 0.0.0.63

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255

access-list 103 permit ip any any

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.1.0 0.0.0.255

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.2.0 0.0.0.255

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.3.0 0.0.0.255

access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.16.0 0.0.0.63

access-list 104 permit ip any any

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.1.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.2.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.3.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.4.0 0.0.0.255

access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.10.0 0.0.0.255

access-list 105 permit ip any any

access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps

access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc

access-list 150 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255

access-list 150 permit ip any any

i found 1 issue .. regarding ACL ..Subnet is incorrect.may be this will be the issue.

access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255

Your server IP is 172.24.30.5 but vlan 30 uses the address range 172.24.3.0/24 ie. look at the third octet.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: