Hi everyone,

I have question here about VACL.

I have 2 - 3550 switches running HSRP.

They have vlan 10,20 and 30 configured.

3550A is Active for vlans 10,20 and 30.

3550A then connects to layer 2 switches A and B.

Layer 2 Switch A has vlan 10

Layer 2 switch B has vlan 20.

These switches connect to Router for Internet.

Vlan 10 subnet is   192.168.10.0

Layer 2 switch A  IP  192.168.10.5

I was configuring VACL to test so that from 3550A switch under vlan 10 I should not be able to telnet layer 2 switch A IP which is vlan 10.

Rest everything should work fine.

I did config the vacl and applied it but I was unable to ping or telnet to IP 192.168.10.5.

Also i was unable to ping the 3550B switch vlan 10 which is standby 192.168.10.2

Is there something wrong I am doing need to confirm with you guys?

Config I applied to 3550A

3550SMIA(config)#ip access-list extended telnet

3550SMIA(config-ext-nacl)#deny tcp 192.168.10.0 0.0.0.255 eq 23 192.168.10.5 ?

A.B.C.D Destination wildcard bits

3550SMIA(config-ext-nacl)#$2.168.10.0 0.0.0.255 eq 23 192.168.10.5 0.0.0.0

3550SMIA(config-ext-nacl)#permit ip any any

3550SMIA(config)#vlan access-map switch 10

3550SMIA(config-access-map)#match ip address telnet

3550SMIA(config-access-map)#action drop

3550SMIA(config-access-map)#vlan access-map switch 20

3550SMIA(config-access-map)#action forward

3550SMIA(config-access-map)#end

3550SMIA#config t

3550SMIA(config)#vlan filter switch vlan-list 10

3550SMIA(config)#end

Thanks

MAhesh

Message was edited by: mahesh parmar