Re: Configure VLAN Access Map

CiscoBrownBelt · ‎01-13-2019

Cisco docs a bit confusing and just looking for some clarification. If I want to create a vlan Access-map to only allow subnet hosts 10.10.10.0 /24 and drop everything else on vlan 10, would I do the following configs (see 2nd sequence) or is the best way to do it using VACL?

ip access-list standard 10

permit ip 10.10.10.0 0.0.0.255

exit

vlan access-map ALLOW 10

match ip address 10

action forward

exit

vlan access-map ALLOW 20

action drop

exit

vlan filter ALLOW vlan-list 10

balaji.bandi · ‎01-13-2019

Seems to be ok, it would be nice if you change the access-list number, because you are tagging vlan 10 and access-list also 10 it confuses.

ip access-list standard 10 <<- change to any other number

permit ip 10.10.10.0 0.0.0.255

exit

vlan access-map ALLOW 10

match ip address 10 <---change as per above number

action forward

exit

vlan filter ALLOW vlan-list 10 <- apply this to VLAN 10. that is the reason above change make difference when you reading.

test and advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoBrownBelt · ‎01-14-2019

Awesome thanks. How about the action drop statement, that is how you would configure if you want to drop everything else outside of the 10.10.10.0 subnet for vlan 10 (can change to 30) correct?

balaji.bandi · ‎01-14-2019

yes it is easy to understand rather confuse all over 10, VLAN 10 stay as it is, ACL number changes.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Reza Sharifi · ‎01-14-2019

You don't have to have the "action drop statement" because by default anything outside 10.10.10.0/24 will be dropped but if you want to keep it that is fine too. The sequence number can be anything 20, 30, etc..

HTH