Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VLAN issue with Access List

Hi,

I have configured one VLAN in my CORE and Access Switches. I want to give limited access to the users under this VLAN.

Users under this VLAN can able to access only 10.138.77.54 and Internet.

Users under this VLAN should not get access of 10.138.74.0 / 10.138.75.0 / 10.138.76.0 /10.138.77.0 (except 10.138.77.54)

We are getting one issue with my current configuration is user under this VLAN get access of all resources under 10.138.77.0 range.

I have attached the configuration.

Please guide me in this issue..

4 REPLIES

Re: VLAN issue with Access List

Your acl inverted masks are wrong, try:-

access-list 119 permit ip 192.168.100.0 0.0.0.15 host 10.138.77.54

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.77.0 0.0.0.255

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.76.0 0.0.0.255

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.75.0 0.0.0.255

access-list 119 deny ip 192.168.100.0 0.0.0.15 10.138.74.0 0.0.0.255

access-list 119 permit ip any any

HTH>

Re: VLAN issue with Access List

Andrew is right. But if it doesn't work after that, instead of "ip access-group 119 in", try "ip access-group 119 out", since you want this ACL to be applied on outgoing traffic from VLAN 19.

Cheers,

Community Member

Re: VLAN issue with Access List

Hi,

But my VLAN is under network 192.168.100.16 255.255.255.240

Now if I will configure 192.168.100.0 0.0.0.15 in access list, the range will become 192.168.100.0 to 192.168.100.15 but my network is 192.168.100.16/28.

Please guide..

Hall of Fame Super Blue

Re: VLAN issue with Access List

Change your access-list to this

access-list 119 permit ip 192.168.100.16 0.0.0.15 host 10.138.77.54

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.77.0 0.0.0.255

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.76.0 0.0.0.255

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.75.0 0.0.0.255

access-list 119 deny ip 192.168.100.16 0.0.0.15 10.138.74.0 0.0.0.255

access-list 119 permit ip any any

You are correct in what you say, it should be 192.168.100.16 0.0.0.15. I suspect Andrew was referring to the 10.138.77.x entries and 192.168.100.0 was a typo. ACL's are checked in order so if you permit traffic to 10.138.77.54 in line 1 and then deny all traffic to 10.138.77.0/24 that will work for you.

Also contrary to the other OP's post the acl is applied correctly in your config ie. inbound.

Jon

127
Views
0
Helpful
4
Replies
CreatePlease to create content