Two VLANs are running on a 2950 and trunked to a 3745 which provides Internet access to both. VLAN1 has many networks running through it:10.x, 172.x, 192.x, plus three public IP address blocks. (Not my design.) VLAN2 has only 192.168.198.0/27. I need to keep traffic from flowing between the two VLANs. The 3745 also provides DHCP services but only to hosts on VLAN2.
I'm a novice with access lists but I used the following commands on the 3745 to keep DHCP and VLAN2 traffic out of VLAN1. Does this look right?
interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address (public address) ip access-group no_dhcp in ip access-group no_vlan2 out
ip access-list extended no_dhcp deny udp any eq bootpc any permit ip any any
ip access-list extended no_vlan2 deny ip 192.168.198.0 0.0.0.31 any permit ip any any
Is there an elegant way to keep all VLAN1 traffic out of VLAN2 while allowing Internet access? Or do I need to separately deny each network (with as large a mask as is feasible)?