Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Vlan and DHCP questions

I have a 3560 and I created two Vlans on it. I created vlan 100 and vlan 110.

This switch is running in layer3 so it will route. I started the DHCP server because we need to enable dhcp.

I created two pools and I called them vlan100 and vlan110

vlan100 I set an IP network of 192.168.1.XXX /24

vlan110 I set 192.168.2.XXX /24

On each vlan interface, I added an address of 192.168.X.1 /24. I added this because I thought that was the only way to get the dhcp server to hand out dhcp to that subnet.

My problem now is, because its a layer3 switch they can route now. They can route to each other.

I removed the default gateway out of the dhcp pulls so the clients do not get a default gateway. But if they add it in, it still works.

The only way to get around this is an access-list?

How do I create it, i want them to get dhcp but not get out to antoher vlan.

Or am I doing this all wrong, and is there another way?

New Member

Re: Vlan and DHCP questions


#config t

(Config)# ip access-list extended NAME

(config-ext-nacl)#permit ip host 192.168.1.X 192.168.2.XXX (this is to permit the guy to access the other vlan, you can add many permit lines)

(config-ext-nacl)#deny ip any 192.168.2.XXX (this is to deny all other guys to get to the other vlan).


config)#int vlan 1

config-if)#ip access-group NAME in (apply the access-list to the traffic coming into the vlan 1 from the vlan 1 users, alternatively this can be applied in the outbound direction on vlan 2 interface. remember that only 1 access-list can be applied to an interface in one particular direction.)

Rate if helpful.

Hall of Fame Super Gold

Re: Vlan and DHCP questions


The suggestion by Victor would allow certain traffic between VLAN 100 and 110 and would allow traffic from the local VLAN to outside resources but not to the other VLAN. My understanding of your post is that you do not want anyone in VLAN 100 to communicate with anyone in VLAN 110. If that is correct then you do not need the command:

permit ip host 192.168.1.X 192.168.2.XXX

I am not clear from your post whether you want devices in the VLANs to communicate with outside resources or whether you want them to only communicate locally. Perhaps you can clarify this?



New Member

Re: Vlan and DHCP questions

I do not want them to communicate. I added an access list deny icmp any any and deny ip any any.

I think though I just broke the dhcp server

I just enabled udp dhcp on port 67

Hall of Fame Super Gold

Re: Vlan and DHCP questions


Yes if you have deny icmp any any and deny ip any any as an inbound access list then you will break DHCP. You would need to permit the UDP ports for DHCP (you could permit any any or you could limit it to permit any host since the DHCP request is a broadcast packet).



CreatePlease to create content