Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

isolate vlans on 3750 switch

Dears,

       anybody can help me in access list to restrict vlans in my core switch. I have 3750 core switch created 7 vlans.

interface Vlan1
description core & mangment
ip address 10.1.2.1 255.255.255.0
!
interface Vlan2
description edge switch
ip address 10.1.3.1 255.255.255.0
!
interface Vlan3
description wireless AP
ip address 10.1.5.1 255.255.255.0
!
interface Vlan4
description Printers & Door Access
ip address 10.1.7.1 255.255.255.0
!
interface Vlan5
description PBAX & IP Telephone
ip address 10.1.9.1 255.255.255.0
!
interface Vlan6
description Servers Vlan
ip address 10.1.10.1 255.255.255.0
!
interface Vlan7
description Desktops Vlan
ip address 10.1.20.1 255.255.255.0
!
interface Vlan8
ip address 10.1.11.2 255.255.255.0 secondary
ip address 10.1.1.2 255.255.255.0
!
interface Vlan31

ip address 10.1.31.1 255.255.255.0
!
interface Vlan10
no ip address

I have dhcp configuration for vlan 31

            I need to restrict vlan 31 from all this vlans.  i confiugure access list on core switch like but it will not take dhcp ip address

configuration:

access-list 101 deny ip 10.1.31.0 0.0.0.255 10.1.10.0 0.0.0.255
# access-list 101 deny ip 10.1.31.0 0.0.0.255 10.1.20.0 0.0.0.255
# access-list 101 deny ip 10.1.31.0 0.0.0.255 10.1.9.0   0.0.0.255
## access-list 101 permit ip 10.1.31.0 0.0.0.255 any

Apply this access-list 101 on vlan 31 interface
           Interface vlan31
        # Ip access-group 101 in
        # end

any body can help in these issue.  waiting for reply.

regards to all

Everyone's tags (2)
2 REPLIES
Hall of Fame Super Silver

Re: isolate vlans on 3750 switch

Hello,

you need an ACL line like the following:

access-list 101  permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

because hosts booting use 0.0.0.0 as source address in DHCP request and 255.255.255.255 as destination

you will need also an ip helper-address in SVI config

to have the router to relay DHCP requests to a distant DHCP server

Hope to help

Giuseppe

New Member

Re: isolate vlans on 3750 switch

Hi Guislar,

       I mean all configuration are perfect and just i need to add one more access list which you defined and in the dhcp pool i have to define ip helper address that its.

          I have one more doubt that in vlan 6 i have dns server and i need to give access only two dns servers (10.1.6.232, 10.1..6.233) to vlan31 can communication.  HOw i can used access list to permit vlan31 to access this two ip address only and all other should be denied.

       I will try this ocnfiguration and update you soon.

thanks a lot guislar.

regards

1622
Views
0
Helpful
2
Replies
CreatePlease login to create content