12-09-2009 03:47 AM - edited 03-06-2019 08:53 AM
I have a couple of VLANs on my Cisco 4507.
These are the Vlans
10.10.1.X/24 -- management
10.10.2.X/24 -- User vlan
10.10.3.X/24 -- Server vlan
I don’t want 10.10.2.x and 10.10.3.x to access Management network.
But management network (10.10.1.x) should be able to access these two networks.
I have tried access lists but it doesn’t work. If I stop access, it stops both ways. But I want the Management network to be able to access the other networks.
Kindly suggest.
Thanks
12-09-2009 04:03 AM
Hi,
Check out the following link for Vlan ACl hope this will help you out to resolve your problem
Regards
Ganesh.H
12-09-2009 05:22 AM
Can you kindly provide the exact statements to achive this.
Which way i have to implement the access list (in / out) and which Vlan is this to be put on.
Thanks.
12-09-2009 09:12 PM
A VLAN map works like a route map,to configure VLAN maps to control IP traffic,first configure the VLAN map and tehn assign a sequence number to the map,VLAN maps are excuted from the lowest instance to the highest.use the global configuration command vlan access-map map_name sequence number.
It work genrally in direction when applied into a VLAN
Hope this solved your query and help to restric traffic in your vlan
Regards
Ganesh.H
12-09-2009 06:58 AM
hi,
as per your requirement, you can use pvlan configuration where your can keep your management vlan in primary vlans and sever, user vlans will be in isolated vlans
hope to get some clues from this.
Thanks and Regards,
sourabh
12-09-2009 11:50 PM
I have tried Vlan maps... still doesn’t work.
Extended IP access list test-acl
10 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
vlan access-map test-map 10
action drop
match ip address test-acl
vlan access-map test-map 20
action forward
I am not able to ping the server vlan form user vlan. Able to ping other subnets.
But I am also not able to ping user Vlan from the management VLan, which still doesn’t solve my problem.
Regards,
venkat
12-10-2009 12:32 AM
Try this configuration as per your setup
vlan access-map allow_ip 10
match ip address deny_to_mangement_lan
action drop
vlan access-map allow_ip 20
match ip address mangement_lan_to_all
action forward
exit
ip access-list extended deny_to_mangement_lan
permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
exit
ip access-list extended mangement_lan_to_all
permit ip 10.10.1.0 0.0.0.255 any
exit
vlan filter allow_ip vlan-list "management vlan number"
Hope this helps you out
Regards
Ganesh.H
12-10-2009 02:48 AM
Is it to be applied on the Mgmt VLAN?
If so i have to wait till the week end to be able to test this as it will inpact the production.
Thanks
12-10-2009 03:04 AM
Yes you need to apply on Management vlan only try the configuration and share your feedback by end of the week.
Regards
Ganesh.H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide