Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
4
Helpful
6
Replies

MISSION VACL......Any how i need VACL to be configured......

Milan Rai
Level 1
Level 1

‎12-05-2012 10:02 PM - edited ‎03-07-2019 10:25 AM

From 213 vlan everythings is dropped.............

ip access-list extended print

permit tcp any any eq 1985

permit tcp host 192.168.213.59 host 192.168.6.7 eq 1526

permit tcp host 192.168.213.60 host 192.168.6.7 eq 1526

permit tcp host 192.168.213.58 host 192.168.6.7 eq 1526

permit tcp host 192.168.213.58 host 192.168.6.7 eq 3389

deny ip any any

vlan access-map DEPT 10

match ip address print

action forward

vlan access-map DEPT 20

action drop

vlan filter DEPT vlan-list 213

this is my configuration guys,,,,,after this applied to the vlan 213 everythings is dropped even my other vlan is affected WHY??........i cant even ping the gateway.....i am sorry that i forget to mention you about HSRP ........For this 213 vlan we have configured stand by ip.........so i hope i have made you clear about my topology........

Labels:
0 Helpful
6 Replies 6

shanilkumar2003
Level 1
Level 1

‎12-05-2012 11:06 PM

This you should configure in vlan interface with access-group to restrict the access.

VACL can be used better to restrict access within vlan 123

Regards,

Shanil

0 Helpful

Milan Rai
Level 1
Level 1
In response to shanilkumar2003

‎12-06-2012 02:06 AM

That means.......VACL is only for restricting access within the vlan???????

Actually my access-list was same what you are suggesting.....I am tryin for the more specific access list thus i need to switch to VACL....

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Milan Rai

‎12-06-2012 03:48 AM

VACLs are used to control traffic within a vlan. The acl that you have doesn't match traffic within the vlan so it hits the deny everything which is why you lose traffic. This type of acl needs to be appled to the l3 svi that's attached to the vlan. Being that you said you have hsrp configured, I'm assuming that you have a "int vlan 213". If that's the case, you'd want to not use vacls, and instead use the access list directly on the svi.

int vlan 213

ip access-group print in

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Milan Rai
Level 1
Level 1
In response to John Blakley

‎12-08-2012 08:30 PM

John you have given me the present scenior of my network......I have int vlan 213.....ip access-group print in

but i have problem with this tooo..........so i m tyring to go for VACL.....you will just plz tell me why i whole network gets dropped after applying the VACL to just 213.....

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Milan Rai

‎12-09-2012 01:37 PM

I explained above. In your case, the vacls method is to drop traffic that doesn't match. The vacl isn't the correct method to apply here since you are crossing vlans (I'm assuming this because of different subnets). A vacl only works when your trying to block traffic within the same vlan and not intervlan. Intervlans are going to use acls on the svi interface as stated above...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Milan Rai
Level 1
Level 1
In response to John Blakley

‎12-09-2012 07:50 PM

Ok John then i should only be going with the ACLS on svi interface??? am i right????

ok........thanks.....i will check it out.....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card