10-01-2008 08:37 AM - edited 03-06-2019 01:42 AM
Hi,
I have Cisco 6500 SUP720 IOS 12.2(17d) with multiple vlans 5, 6, 7, 33 and 90.
Vlan 90 = 10.90.1.X network equipment
Vlan 33 = 10.200.1.6 my PC
Vlan 5, 6 and 7 = 10.5.1.X, 10.6.1.X and 10.7.1.X staff PCs
I want to be able to control access to vlan 90 so that only vlan 33 has access.
So I setup a ACL VACL and vlan access-map- like this:
ip access-list standard in-switches
permit 10.200.1.0 0.0.0.255
ip access-list standard allow-any
permit any
vlan access-map map90 10
match ip address in-switches
action forward
vlan access-map map90 20
match ip address allow-any
action drop
vlan filter map90 vlan-list 90
As soon as I apply the last command I lose connection to vlan 90 (can't ping it). What am I doing wrong?
Thanks in Advance:)
10-01-2008 09:04 AM
Hello Joel,
I would try to use only the first block of the vacl
try the following
no vlan access-map map90 20
then apply again the vacl and tells if you see any difference
VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.
the second aspect is that a standard ACL is used to match the source IP address only
I would use an extended ACL permitting traffic between the two subnets
no ip access-list standard allow-any
ip access-list extended in-switches
permit ip 10.200.1.0 0.0.0.255 10.90.1.0 0.0.0.255
permit ip 10.90.1.0 0.0.0.255 10.200.1.0 0.0.0.255
Hope to help
Giuseppe
10-02-2008 06:31 AM
Giuseppe,
Thanks for the speedy response and your suggestion worked great.
Thanks again:)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide