I have been racking my brain on this particular issue. What I am trying to do is create a Public VLAN for vendors and vistors in our company that will restrict them from accessing our corporate network while allowing them to access web, email and VPn connections to the outside. In addtion when people connect to this VLAN, they are retrieving a DHCP IP addy for a windows 2000 server. Without any access-list the process works just fine. Here is an example of the interface and the access-list which is attached to the interface. When applied I am no longer able to get an IP address from the win2k server. Any insight how to correct his problem.

interface Vlan10

description vlan 10 - Guest VLAN

ip address 10.10.9.1 255.255.255.0

ip broadcast-address 10.10.9.255

ip access-group 100 in

ip helper-address 172.16.201.10

ip helper-address 172.16.201.1

access-list 100 permit ip any host 172.16.201.11

access-list 100 permit udp any host 172.16.201.10 eq domain

access-list 100 permit udp any host 172.16.201.11 eq domain

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any eq 443

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq ftp

access-list 100 deny ip any any

Frank