Access List Qs: Filter Traffic Between VLANs

Two VLANs are running on a 2950 and trunked to a 3745 which provides Internet access to both. VLAN1 has many networks running through it:

10.x, 172.x, 192.x, plus three public IP address blocks. (Not my design.) VLAN2 has only I need to keep traffic from flowing between the two VLANs. The 3745 also provides DHCP services but only to hosts on VLAN2.

I'm a novice with access lists but I used the following commands on the 3745 to keep DHCP and VLAN2 traffic out of VLAN1. Does this look right?

interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address (public address) ip access-group no_dhcp in ip access-group no_vlan2 out

ip access-list extended no_dhcp deny udp any eq bootpc any permit ip any any

ip access-list extended no_vlan2 deny ip any permit ip any any

Is there an elegant way to keep all VLAN1 traffic out of VLAN2 while allowing Internet access? Or do I need to separately deny each network (with as large a mask as is feasible)?

Reply to
Bob Simon
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.