Access list in switch

wonderpug · ‎12-23-2009

I have two Vlans configured in our 4507 switch (IOS). Vlan 1 as company vlan and Vlan 2 as vendor vlan. I would like to configure access list(s) to accompolish the following rules:

Vlan 1 have full access to Vlan 2 (to the whole subnet or only few IP addresses).

Vlan 2 have no access to Vlan 1 at all.

What are the best way to have this done? Any suggestion will be appreciated.

Happy Holiday!

Ganesh Hariharan · ‎12-26-2009

Hi ,

Check out the link how to configure and apply ACL in switches

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html

Hope this resolves your query !!

Regards

Ganesh.H

Panos Kampanakis · ‎12-28-2009

Applying an ACL on a vlan interface will only have the ACL kick in if packets are L3 routed on the switch (hit the vlan SVI).

What you want is a Vlan ACL (VACL) explained here http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/vacl.html

Here is an example:

Router# show ip access-lists net_10

Extended IP access list net_10

    permit ip 10.0.0.0 0.255.255.255 any

Router# show ip access-lists any_host

Standard IP access list any_host

    permit any

This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter thor vlan-list 12-16

I hope it helps.

PK