ACL in RSM

paulo.s · ‎10-18-2006

Hi, I work with Catalyst 4006 + RSM. My interfaces are configured as trunks, and subinterfaces for each vlan: gigabit 3.1, 3.2, 4.1, 4.2, etc. I have an ACL applied on the inbound line vty and it is work ok. But for a subinterface don't work.

Cisco Internetwork Operating System Software

IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(10)W5(18f)

ROM: System Bootstrap, Version 12.0(7)W5(15b) RELEASE SOFTWARE

ROM: L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(25)W5(27) RELEASE SOFTWARE

Router uptime is 19 weeks, 1 day, 19 hours, 31 minutes

System restarted by power-on at 17:00:07 edt3 Sun Jun 4 2006

Running default software

cisco Cat4232L3 (R5000) processor with 57344K/8192K bytes of memory.

R5000 processor, Implementation 35, Revision 2.1

Last reset from power-on

1 FastEthernet/IEEE 802.3 interface(s)

4 Gigabit Ethernet/IEEE 802.3z interface(s)

123K bytes of non-volatile configuration memory.

16384K bytes of Flash internal SIMM (Sector size 256K).

Configuration register is 0x2

Anybody can help me?

Thks,

Paulo

a.kiprawih · ‎10-20-2006

You need to apply the ACL on the VLAN/SVI interface, instead of physical sub-interface.

Applying ACL (ip access-group) on vty is common, but to filter telnet to Vlan, i.e member host telnetting to Vlan interface IP @ GW, you need to apply ACL on the Vlan itself.

Create an ACL to define permitted hosts/IPs to telnet, and apply it to the Vlan using 'access-group ' command.

HTH

AK

paulo.s · ‎10-20-2006

Ok, I applied.

My configuration:

access-list 101 permit ip 10.0.75.0 0.0.0.255 any log

access-list 101 permit ip host 10.0.65.16 any log

access-list 101 deny ip any any log

interface GigabitEthernet3.102

description Vlan Acesso Rede Adm SUN

encapsulation dot1Q 102

ip address 10.0.30.1 255.255.255.0

ip access-group 101 in

no ip redirects

no ip directed-broadcast

no cdp enable

Any ideas?

Thks,

Paulo