Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
3
Helpful
4
Replies

HOW DO I CREATE VACL IN SWITCH FOR TRAFFIC CONTRL

suhas_syndrome
Level 1
Level 1

‎03-19-2013 12:00 AM - edited ‎03-07-2019 12:20 PM

1) I have configured two vlan on my core switch(VLAn-100, VLAN-200)

2) HTTP , SMTP(mail server) & PC1 are there in vlan 100

3) PC4,PC5 & PC6 are there in vlan 200

what access-list should be created to below task:-

1) PC4 & PC5 in vlan 200 should be access only http server in vlan-100

can be access to Internet

2) PC6 in vlan 200 should be access only smtp server in vlan 100

can not be access to internet

3) PC1 in vlan 100 should not be access to any host in vlan 200 but it can be access to Internet

please find the network image for reference....

vacl.jpg

Regards

Suhas B.

Labels:
0 Helpful
4 Replies 4

paul driver
VIP
VIP

‎03-19-2013 01:03 AM

Hello
VACL's are only be used for filtering traffic within the same vlan.

However RACL's should be able to accomplish your request


Re
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

suhas_syndrome
Level 1
Level 1
In response to paul driver

‎03-21-2013 07:55 PM

Hi Pdriver,

   can you help me, give me basic idea to creat that RACL...

Regards'

Suhas

0 Helpful

paul driver
VIP
VIP
In response to suhas_syndrome

‎03-22-2013 02:25 AM

Hello

access-list 100 remark Allow PCs 4-5-6 to HTTP&SMTP in vlan 100
access-list 100 permit tcp host 10.10.200.10 host 10.10.100.50 eq 80
access-list 100 deny ip host 10.10.200.10 any
access-list 100 permit tcp host 10.10.200.11 host 10.10.100.50 eq 80
access-list 100 deny ip host 10.10.200.11 any
access-list 100 permit tcp host 10.10.200.12 host 10.10.100.50 eq 25
access-list 100 deny ip host 10.10.200.12 any
access-list 100 permit ip any any

access-list 101 remark Deny PC1 to vlan 200

access-list 101 deny ip host 10.10.100.10 any
access-list 101 permit ip any any

interface Vlan100
ip access-group 101 in


interface Vlan200
ip access-group 100 in

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

suhas_syndrome
Level 1
Level 1
In response to paul driver

‎03-22-2013 09:50 PM

Hi Pdriver,

u r information is helpful.

but u have created access-list 101 only for host 10.10.100.10

i want to deny all traffic from vlan 100 to vlan 200 & i have created following access-list

* access-list 101 deny ip 10.10.100.0 0.0.0.255 10.10.200.0 0.0.0.255

* access-list 101 permit ip any any

& apply to

interface vlan 100

ip access-group 101 in

but the problem that all traffic from vlan 200 to vlan 100 is restricted

that's why I apply

interface vlan 100

IP access-group 101 out

now vlan 200 hosts can access vlan 100 HTTP server and vlan 100 not access to vlan 200

please correct me...is this ok or not

Regards

Suhas

0 Helpful
Customers Also Viewed These Support Documents