Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
0
Helpful
4
Replies

VACL-3750

Junior Mateus
Level 1
Level 1

‎02-08-2012 02:54 AM - edited ‎03-07-2019 04:48 AM

Hello Everybody

I´m facing to one issue with VACL

i have a network lan with 10.40.X.X/16

in this network i have a Production vlan 10 with 10.40.10.X/24

and i have created one vlan103 for Guest´ user as 10.40.103.X/24

My goals is to restric the vlan 103 to reach or access the vlan 10, better to restric Guest user access to the production vlan

So i  try to put this script with VACL method, but doesn´t work

Extended IP access list Restriction-Guest

    10 permit ip 10.40.103.0 0.0.0.255 any

vlan access-map Guest 10

action drop

match ip address Restriction-Guest

vlan filter Guest vlan-list 10

After that i still able to ping or access to the vlan 10 form vlan 103

Ps: I have a CORESW 3750 S

Thank you in advance

Labels:
0 Helpful
4 Replies 4

Latchum Naidu
VIP Alumni
VIP Alumni

‎02-08-2012 03:34 AM

Hi Junior,

Instead of you denied the Production network access from Guest network you have permitted.
Do like below to achieve your goal...

ip access-list ext Restrict_Guest.
deny ip any 10.40.10.0 0.0.0.255

permit ip any any

int vlan 103
ip access-group Restrict_Guest


Hope the above clear and understand you.
Please rate all the helpfull posts.
Regards,
Naidu.

0 Helpful

Junior Mateus
Level 1
Level 1
In response to Latchum Naidu

‎02-08-2012 04:47 AM

Hello Naidu

and thank you for you response,

i have finish to test this script with this correction but it does´nt work.

i still able to connect to the vlan production(10) from vlan guest(103)

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Junior Mateus

‎02-08-2012 05:11 AM

Hi Junior,

It is strange.
Can you provide your 3750 switch config.


Hope the above clear and understand you.
Please rate all the helpfull posts.
Regards,
Naidu.

0 Helpful

Junior Mateus
Level 1
Level 1
In response to Junior Mateus

‎02-08-2012 05:15 AM

COBswCR#sh version

Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Thu 19-Jul-07 19:15 by nachen

Image text-base: 0x00003000, data-base: 0x01080000

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEC, RELEASE SOFTWARE (fc4)

COBswCR uptime is 17 minutes

System returned to ROM by power-on

System restarted at 12:58:33 UTC Wed Feb 8 2012

System image file is "flash:c3750-ipbase-mz.122-35.SE5/c3750-ipbase-mz.122-35.SE5.bin"

cisco WS-C3750-24P (PowerPC405) processor (revision T0) with 118784K/12280K bytes of memory.

Processor board ID FDO1428X3SY

Last reset from power-on

9 Virtual Ethernet interfaces

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address       : DC:7B:94:CD:B3:00

Motherboard assembly number     : 73-9672-15

Power supply part number        : 341-0029-05

Motherboard serial number       : FDO14290D7M

Power supply serial number      : LIT14200UMD

Model revision number           : T0

Motherboard revision number     : A0

Model number                    : WS-C3750-24PS-S

System serial number            : FDO1428X3SY

Top Assembly Part Number        : 800-25860-09

Top Assembly Revision Number    : A0

Version ID                      : V10

CLEI Code Number                : COMAJ10BRA

Hardware Board Revision Number  : 0x01

Switch   Ports  Model              SW Version              SW Image           

------   -----  -----              ----------              ----------         

*    1   26     WS-C3750-24P       12.2(35)SE5             C3750-IPBASE-M     

Configuration register is 0xF

COBswCR#sh run

COBswCR#sh running-config

Building configuration...

Current configuration : 3805 bytes

!

! Last configuration change at 13:03:44 UTC Wed Feb 8 2012

! NVRAM config last updated at 13:03:46 UTC Wed Feb 8 2012

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname COBswCR

!

!

username admin privilege 15 password 7 046B5A0A5F3545565B495446

no aaa new-model

switch 1 provision ws-c3750-24p

system mtu routing 1500

ip subnet-zero

ip routing

no ip domain-lookup

ip domain-name cobeje.co.ao

!        

!

!

!

no file verify auto

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree portfast bpdufilter default

spanning-tree extend system-id

spanning-tree uplinkfast

spanning-tree backbonefast

!

vlan internal allocation policy ascending

!

interface FastEthernet1/0/1

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/2

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/3

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/4

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/5

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/6

!

interface FastEthernet1/0/7

!

interface FastEthernet1/0/8

!

interface FastEthernet1/0/9

!

interface FastEthernet1/0/10

!

interface FastEthernet1/0/11

!

interface FastEthernet1/0/12

!

interface FastEthernet1/0/13

!

interface FastEthernet1/0/14

!

interface FastEthernet1/0/15

!

interface FastEthernet1/0/16

!

interface FastEthernet1/0/17

!        

interface FastEthernet1/0/18

!

interface FastEthernet1/0/19

!

interface FastEthernet1/0/20

switchport access vlan 31

switchport mode access

!

interface FastEthernet1/0/21

description LINK of TEST

switchport access vlan 10

switchport mode access

spanning-tree portfast

!

interface FastEthernet1/0/22

!

interface FastEthernet1/0/23

description LINK-TO-Router(SPOKE)

switchport access vlan 32

switchport mode access

spanning-tree portfast

!

interface FastEthernet1/0/24

description LINK_TO_ASAFW

switchport access vlan 31

switchport mode access

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

description Servers Production

ip address 10.40.10.254 255.255.255.0

!

interface Vlan12

description vlan Reserved for DOMAIN CONTROLLER

ip address 10.40.12.254 255.255.255.0

!

interface Vlan14

description (FFTMG,MACAFEE,WSUS,..)

ip address 10.40.14.6 255.255.255.248

!

interface Vlan31

description LINK-to-ASA (Layer1)

no ip address

shutdown

!

interface Vlan32

description LINK-TO-RT(spoke)

ip address 172.40.32.1 255.255.255.252

!

interface Vlan98

description Management dos Servidores da Rede

ip address 10.40.98.254 255.255.255.0

!

interface Vlan99

description ONLY FOR DEVICE MANAGEMENT

ip address 10.40.99.254 255.255.255.0

!

interface Vlan103

ip address 10.40.103.14 255.255.255.240

!

router eigrp 40

variance 2

redistribute connected

passive-interface default

no passive-interface Vlan31

no passive-interface Vlan32

network 172.40.32.1 0.0.0.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.40.14.1

ip http server

!

!

control-plane

!

!

line con 0

privilege level 15

login local

line vty 0 4

privilege level 15

login local

line vty 5 15

login   

!

ntp clock-period 36028756

ntp server 192.168.10.9

end

0 Helpful
Customers Also Viewed These Support Documents