Re: Access list problem

cro9uk · ‎10-29-2005

Hi guys, can someone please have a look at this ACL? its acting strange on my 3750. i have a port in vlan 10 (192.168.100.x)and the rest in vlan 1 (10.x.x.x). the 192.168.4.0 network is on another connected router without ACL's.

access-list 120 deny ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip any

int vlan 10

ip access-group 120 in

when i apply this vlan 10 traffic cant get to the 192.168.4.x network but neither can traffic in vlan 1. Is the config different on subinterfaces?

lgijssel · ‎10-29-2005

line 2:

access-list 120 permit ip any

should probably read:

access-list 120 permit ip any any

Regards,

Leo

cro9uk · ‎10-29-2005

did that (i mistyped). Scratching my head why vlan 1 traffic would be affected. Even if i put a blanket deny ip any any in providing i only applied it to vlan 10 in it shouldnt affect vlan 1 traffic. my question is are VACL's tricky to implement? or should this VACL work?

Georg Pauwen · ‎10-29-2005

Hello,

you could try a VLAN ACL instead and see if that works any better>

vlan access-map BLOCK 10

action drop

match ip address 100

vlan access-map BLOCK 20

action forward

vlan filter BLOCK vlan-list 10

!

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255

Regards,

GP