Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2237
Views
5
Helpful
5
Replies

VACL on 3750

Go to solution
cisco_lite
Level 1
Level 1

‎02-10-2009 05:07 PM - edited ‎03-06-2019 03:58 AM

VLAN on 3750 has 5 ports/hosts assigned to 10.10.10.x/24 network.

What would a simple VACL configuration be like where only ssh among the five ports/hosts is allowed.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ohassairi
Level 5
Level 5

‎02-10-2009 09:50 PM

try the following:

(config)#ip access-list extended test

(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 22

then

(config)#vlan access-map tt 1

(config-access-map)# match ip address test

(config-access-map)# action forward

(config-access-map)# exit

(config)# vlan filter tt vlan-list 10.

i suppose your vlan has number 10.

Note: if you have a l3 interface for this vlan in your switch (interface vlan 10; ip address 10.10.10.1 255.255.255.0), the configuration will be more easy.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ohassairi
Level 5
Level 5

‎02-10-2009 09:50 PM

try the following:

(config)#ip access-list extended test

(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 22

then

(config)#vlan access-map tt 1

(config-access-map)# match ip address test

(config-access-map)# action forward

(config-access-map)# exit

(config)# vlan filter tt vlan-list 10.

i suppose your vlan has number 10.

Note: if you have a l3 interface for this vlan in your switch (interface vlan 10; ip address 10.10.10.1 255.255.255.0), the configuration will be more easy.

0 Helpful

Go to solution
cisco_lite
Level 1
Level 1
In response to ohassairi

‎02-13-2009 02:03 AM

I read thru some materials which say that VACL/VLAN access-map is applicable only to packets coming into or going outside the VLAN.

Is it correct, that VACL also applies to traffic within the VLAN also i.e. restrict/allow access to host on port 1 to another host on port 2 (in the same vlan).

Please confirm.

Thanks.

0 Helpful

Go to solution
JamesLuther
Level 3
Level 3
In response to cisco_lite

‎02-13-2009 02:15 AM

The VACL will apply to traffic within the VLAN also. Check

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

"VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN"

Go to solution
cisco_lite
Level 1
Level 1
In response to JamesLuther

‎02-14-2009 10:48 AM

When I include the following acl with action as forward, the access from 20.x to 20.x is blocked

Extended IP access list MYACL

10 permit tcp any 20.20.20.0 0.0.0.255 eq 1500

1500 is a tcp service which is running on 20.x network hosts. However, when I replace the acl with permit ip any any it goes through.

Do the ACL work differently with vlan filters. Why are all 20.x hosts blocked from 1500 with the above ACL.

0 Helpful

Go to solution
cisco_lite
Level 1
Level 1
In response to cisco_lite

‎02-14-2009 11:16 PM

Ok. It has to be applied both ways.

0 Helpful
Customers Also Viewed These Support Documents