- Cisco Community
- Technology and Support
- Networking
- Switching
- Re: vlan access list....i am having problem!! help!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2009 06:10 PM - edited 03-06-2019 08:41 AM
Ok here is my problem....
I have a VLAN (22) which is my security vlan.
I have VLAN (16) which is our workstation vlans.
Ofcourse, i dont want all traffic from 16 going to 22. I ONLY want TWO hosts from my vlan going to vlan 22.
I know all about access lists, but every access list i try going into the security vlan or coming out doesnt work.
my hosts (vlan 16) are 172.16.100.103, and 172.16.100.100 both are 255.255.0.0
Security vlan is 22 and the host is 172.22.1.2 and the subnet is 255.255.0.0
What am i doing wrong? HELP!
this is my access list that i have created.....
access-list 101 permit tcp 172.16.100.103 255.255.255.255 172.22.1.2 255.255.255.255
access-list 101 permit tcp 172.16.100.100 255.255.255.255 172.22.1.2 255.255.255.255
vlan 22
access-group 101 in
Solved! Go to Solution.
- Labels:
-
LAN Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2009 09:22 PM
Hi,
In first look, your ACL seems to be wrong. ACL uses wild card mask and so you need 0.0.0.0 to match a specific host.
Your ACL should be as below,
access-list 101 permit tcp
Also the direction of applying the ACL seems to be wrong.
access-list 101 permit tcp 172.16.100.103 255.255.255.255 172.22.1.2 255.255.255.255
access-list 101 permit tcp 172.16.100.100 255.255.255.255 172.22.1.2 255.255.255.255
vlan 22
access-group 101 in
The above config will check for packet coming into Vlan 22 with source as 172.16.100.x and destination as 172.22.1.2 (assuming you have changed the mask to 0.0.0.0). But traffic originating from vlan 22 will have 172.22.1.2 as source and 172.16.100.x as destination.
So you need to modify the ACL as,
access-list 101 permit tcp 172.22.1.2 0.0.0.0 172.16.100.103 0.0.0.0
and apply the same as below,
int vlan 22
access-group 101 in
or if you want to restrict the traffic @ originating side itself (recommended), you need the floowing,
access-list 101 permit tcp 172.16.100.103 0.0.0.0 172.22.1.2 0.0.0.0
int vlan 16
access-group 101 in
HTH,
Nagendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2009 09:22 PM
Hi,
In first look, your ACL seems to be wrong. ACL uses wild card mask and so you need 0.0.0.0 to match a specific host.
Your ACL should be as below,
access-list 101 permit tcp
Also the direction of applying the ACL seems to be wrong.
access-list 101 permit tcp 172.16.100.103 255.255.255.255 172.22.1.2 255.255.255.255
access-list 101 permit tcp 172.16.100.100 255.255.255.255 172.22.1.2 255.255.255.255
vlan 22
access-group 101 in
The above config will check for packet coming into Vlan 22 with source as 172.16.100.x and destination as 172.22.1.2 (assuming you have changed the mask to 0.0.0.0). But traffic originating from vlan 22 will have 172.22.1.2 as source and 172.16.100.x as destination.
So you need to modify the ACL as,
access-list 101 permit tcp 172.22.1.2 0.0.0.0 172.16.100.103 0.0.0.0
and apply the same as below,
int vlan 22
access-group 101 in
or if you want to restrict the traffic @ originating side itself (recommended), you need the floowing,
access-list 101 permit tcp 172.16.100.103 0.0.0.0 172.22.1.2 0.0.0.0
int vlan 16
access-group 101 in
HTH,
Nagendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2009 06:01 AM
Hey there,
Thanks for your reply but that still didnt work. I complete the vlan 22 access group in just like you told me but i still cant get traffic. Here is a copy of my config. If i take the gateway off VLAN 22, then no one can get to it, but if i leave the 172.22.0.1 on the vlan as the gateway, then everyone can get to it. Thats what i dont want. Thats our security VLAN. I only want TWO hosts to be able to get to the VLAN 22 host and thats it.
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-48ts
switch 3 provision ws-c3750g-48ts
ip subnet-zero
ip routing
ip cef load-sharing algorithm universal 89711B15
ip name-server 172.17.2.2
!
cluster enable MDF_Cluster 0
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan access-map VLAN_50_Restrict_Map 10
action drop
match ip address VLAN_17_Restrict_ACL
vlan access-map VLAN_50_Restrict_Map 20
action forward
vlan access-map VLAN_17_Restrict_Map 10
action drop
match ip address VLAN_50_Restrict_ACL
vlan access-map VLAN_17_Restrict_Map 20
action forward
vlan internal allocation policy ascending
!
class-map match-any VoIP
match ip dscp ef
!
!
policy-map VoIP_Qos
class VoIP
trust dscp
!
!
!
interface Port-channel1
description Layer 2 Etherchannel trunk to IDF1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface Port-channel2
description Layer 2 Etherchannel trunk to IDF2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
!
interface Port-channel3
description Layer 2 Etherchannel trunk to IDF3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface Port-channel4
description Layer 2 Etherchannel trunk to IDF4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
!
interface GigabitEthernet1/0/1
description Member Layer 2 Etherchannel - IDF1 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/2
description Member Layer 2 Etherchannel - IDF1 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/3
description Member Layer 2 Etherchanell - IDF2 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet1/0/4
description Member Layer 2 Etherchanell - IDF2 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet1/0/5
description Member Layer 2 Etherchannel - IDF3 - Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 3 mode active
!
interface GigabitEthernet1/0/6
description Member Layer 2 Etherchannel - IDF3 - Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 3 mode active
!
interface GigabitEthernet1/0/7
description Member Layer 2 Etherchannel - IDF4 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/8
description Member Layer 2 Etherchannel - IDF4 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/9
description Trunk to IDF5 - Gig1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface GigabitEthernet1/0/10
description Trunk to IDF6 - Gig1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/11
description Trunk to IDF7 - Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,21,50-52,54
switchport mode trunk
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet2/0/1
description Metro to HIMG 20th Street
no switchport
ip address 172.31.0.1 255.255.255.252
service-policy input VoIP_Qos
duplex full
speed 100
!
interface GigabitEthernet2/0/2
no switchport
ip address 172.31.0.18 255.255.255.252
service-policy input VoIP_Qos
duplex full
!
interface GigabitEthernet2/0/3
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/4
description mn-trans-25
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/5
description Ovation APP NIC 1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/6
description Ovation APP NIC 2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/7
description Ovation VQ
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/8
description Ovation DB
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/9
description AIX
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/10
description AIX Imaging
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/11
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/12
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/13
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/14
description Huntingt-CRLl06
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/15
description Intergy Server
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/16
description Intergy Server
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/17
description MN-IS-TS8
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/18
description CQ-Faxserver
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/19
description HIMGNET
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/20
description CQ-MTSERVER
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/21
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/22
description Fileserver1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/23
description PAserver
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/24
description Solomonsvr
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/25
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/26
description Solomonsvr2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/27
description INS_WEB_SERVER
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/28
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/29
description MN-IS-TS2
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/30
description CQ-Wordserver
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/31
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/32
description MN-IS-TS4
switchport access vlan 16
spanning-tree portfast
interface GigabitEthernet2/0/33
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/34
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/35
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/36
description AVAYA01
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/37
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/38
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/39
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/40
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/41
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/42
description MN-IS-TS3
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/43
description MN-IS-TS1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/44
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/45
description Nurse Call Application Server
switchport access vlan 18
spanning-tree portfast
!
interface GigabitEthernet2/0/46
description Nurse Call Web Server
switchport access vlan 18
spanning-tree portfast
!
interface GigabitEthernet2/0/47
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/48
description PACS
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
duplex full
!
interface GigabitEthernet2/0/49
!
interface GigabitEthernet2/0/50
!
interface GigabitEthernet2/0/51
!
interface GigabitEthernet2/0/52
!
interface GigabitEthernet3/0/1
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/2
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/3
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/4
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/5
description MedPark Security DVR
switchport access vlan 50
spanning-tree portfast
!
interface GigabitEthernet3/0/6
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/7
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/8
description INT-APP2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/9
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/10
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/11
description IPSTATION
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/12
description Security System
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/13
description MDF-WAP1
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-wireless
auto qos voip trust
spanning-tree bpduguard enable
!
interface GigabitEthernet3/0/14
!
interface GigabitEthernet3/0/15
description TRAININGSERVER
switchport access vlan 17
!
interface GigabitEthernet3/0/16
description HP-SCAN-13
switchport access vlan 17
!
interface GigabitEthernet3/0/17
switchport access vlan 17
!
interface GigabitEthernet3/0/18
description Trunk Link to ASA switchport 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet3/0/19
switchport access vlan 50
spanning-tree portfast disable
!
interface GigabitEthernet3/0/20
switchport access vlan 51
spanning-tree portfast disable
!
interface GigabitEthernet3/0/21
switchport access vlan 52
spanning-tree portfast disable
!
interface GigabitEthernet3/0/22
description Link to Inside Interface on Concentrator
switchport access vlan 17
spanning-tree portfast disable
!
interface GigabitEthernet3/0/23
switchport access vlan 51
!
interface GigabitEthernet3/0/24
switchport access vlan 49
!
interface GigabitEthernet3/0/25
switchport access vlan 49
!
interface GigabitEthernet3/0/26
description Cafe Firewall
switchport access vlan 48
!
interface GigabitEthernet3/0/27
description MN-IS-FSDC2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/28
description MN-IS-NAS
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/29
description MN-IS-DC1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/30
description MN-IS-TS5
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet3/0/31
switchport access vlan 17
!
interface GigabitEthernet3/0/32
description INT-APP1
switchport access vlan 17
!
interface GigabitEthernet3/0/33
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/34
description MN-IS-TS7
switchport access vlan 16
!
interface GigabitEthernet3/0/35
description CITRIXPROVISION
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/36
!
interface GigabitEthernet3/0/37
switchport access vlan 17
!
interface GigabitEthernet3/0/38
!
interface GigabitEthernet3/0/39
description FAXSERVER
switchport access vlan 17
!
interface GigabitEthernet3/0/40
switchport access vlan 16
!
interface GigabitEthernet3/0/41
!
interface GigabitEthernet3/0/42
!
interface GigabitEthernet3/0/43
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/44
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/45
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/46
description LAN PORT BARRACUDA
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/47
switchport access vlan 25
spanning-tree portfast
!
interface GigabitEthernet3/0/48
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet3/0/49
!
interface GigabitEthernet3/0/50
!
interface GigabitEthernet3/0/51
!
interface GigabitEthernet3/0/52
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
no ip address
!
interface Vlan16
description VLAN for Workstations
ip address 172.16.1.140 255.255.0.0 secondary
ip address 172.16.0.1 255.255.0.0
ip helper-address 172.17.2.2
ip helper-address 172.17.2.60
!
interface Vlan17
description Data VLAN
ip address 172.17.0.1 255.255.0.0
ip directed-broadcast
!
interface Vlan18
description Nurse Call VLAN
ip address 172.18.0.1 255.255.0.0
!
interface Vlan20
description Secure Wireless VLAN
ip address 172.20.0.1 255.255.0.0
ip helper-address 172.17.2.2
ip helper-address 172.17.2.60
!
interface Vlan21
description Management VLAN
ip address 172.21.0.1 255.255.255.0
!
interface Vlan22
description Security_System
no ip address
!
interface Vlan23
description Avaya_Data
ip address 172.23.0.1 255.255.0.0
!
interface Vlan24
description Avaya_Voice
ip address 172.24.0.1 255.255.0.0
!
interface Vlan25
no ip address
!
interface Vlan28
no ip address
!
interface Vlan49
no ip address
!
interface Vlan50
description Pharmacy
no ip address
!
interface Vlan51
no ip address
!
ip default-gateway 172.17.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.0.2
ip route 10.0.2.0 255.255.255.0 172.31.0.2
ip route 10.10.30.16 255.255.255.255 172.17.0.5
ip route 10.10.35.0 255.255.255.0 172.17.0.5
ip route 10.10.40.0 255.255.255.0 172.17.0.5
ip route 63.145.63.64 255.255.255.192 172.17.0.5
ip route 63.147.62.0 255.255.255.128 172.17.0.5
ip route 172.30.0.0 255.255.0.0 172.17.0.5
ip route 172.30.1.128 255.255.255.240 172.17.0.2
ip route 172.40.3.0 255.255.255.224 172.17.0.2
ip route 172.40.3.160 255.255.255.224 172.17.0.2
ip route 192.68.49.0 255.255.255.0 172.17.0.5
ip http server
!
!
ip access-list extended VLAN_17_Restrict_ACL
permit ip 172.17.0.0 0.0.255.255 any
ip access-list extended VLAN_50_Restrict_ACL
permit ip 172.50.0.0 0.0.255.255 any
!
access-list 111 permit ip any any
route-map TEMP_Websense_Test permit 10
match ip address 111
set ip next-hop 172.17.0.8
!
!
control-plane
!
!
!
ntp clock-period 36028763
ntp server 198.82.1.201 prefer
ntp server 198.82.1.203
ntp server 198.82.1.202
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2009 07:26 AM
Hi,
Can you post the updated config?. I am not seeing any ACL config related to vlan 22 in the posted config.
Regards,
Nagendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2009 08:39 AM
Here ya go.. i appreciate your help.
no aaa new-model
clock timezone est -5
clock summer-time est recurring
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-48ts
switch 3 provision ws-c3750g-48ts
ip subnet-zero
ip routing
ip cef load-sharing algorithm universal 89711B15
ip host burke 172.16.4.65
ip name-server 172.17.2.2
!
cluster enable MDF_Cluster 0
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan access-map VLAN_50_Restrict_Map 10
action drop
match ip address VLAN_17_Restrict_ACL
vlan access-map VLAN_50_Restrict_Map 20
action forward
vlan access-map VLAN_17_Restrict_Map 10
action drop
match ip address VLAN_50_Restrict_ACL
vlan access-map VLAN_17_Restrict_Map 20
action forward
vlan internal allocation policy ascending
!
class-map match-any VoIP
match ip dscp ef
!
!
policy-map VoIP_Qos
class VoIP
trust dscp
!
!
!
interface Port-channel1
description Layer 2 Etherchannel trunk to IDF1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface Port-channel2
description Layer 2 Etherchannel trunk to IDF2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
!
interface Port-channel3
description Layer 2 Etherchannel trunk to IDF3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface Port-channel4
description Layer 2 Etherchannel trunk to IDF4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
!
interface GigabitEthernet1/0/1
description Member Layer 2 Etherchannel - IDF1 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/2
description Member Layer 2 Etherchannel - IDF1 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/3
description Member Layer 2 Etherchanell - IDF2 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet1/0/4
description Member Layer 2 Etherchanell - IDF2 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet1/0/5
description Member Layer 2 Etherchannel - IDF3 - Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 3 mode active
!
interface GigabitEthernet1/0/6
description Member Layer 2 Etherchannel - IDF3 - Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 3 mode active
!
interface GigabitEthernet1/0/7
description Member Layer 2 Etherchannel - IDF4 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/8
description Member Layer 2 Etherchannel - IDF4 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/9
description Trunk to IDF5 - Gig1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface GigabitEthernet1/0/10
description Trunk to IDF6 - Gig1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/11
description Trunk to IDF7 - Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,21,50-52,54
switchport mode trunk
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet2/0/1
description Metro to HIMG 20th Street
no switchport
ip address 172.31.0.1 255.255.255.252
service-policy input VoIP_Qos
duplex full
speed 100
!
interface GigabitEthernet2/0/2
no switchport
ip address 172.31.0.18 255.255.255.252
service-policy input VoIP_Qos
duplex full
!
interface GigabitEthernet2/0/3
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/4
description mn-trans-25
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/5
description Ovation APP NIC 1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/6
description Ovation APP NIC 2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/7
description Ovation VQ
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/8
description Ovation DB
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/9
description AIX
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/10
description AIX Imaging
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/11
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/12
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/13
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/14
description Huntingt-CRLl06
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/15
description Intergy Server
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/16
description Intergy Server
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/17
description MN-IS-TS8
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/18
description CQ-Faxserver
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/19
description HIMGNET
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/20
description CQ-MTSERVER
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/21
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/22
description Fileserver1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/23
description PAserver
switchport access vlan 17
spanning-tree portfast
interface GigabitEthernet2/0/24
description Solomonsvr
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/25
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/26
description Solomonsvr2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/27
description INS_WEB_SERVER
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/28
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/29
description MN-IS-TS2
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/30
description CQ-Wordserver
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/31
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/32
description MN-IS-TS4
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/33
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/34
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/35
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
interface GigabitEthernet2/0/36
description AVAYA01
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/37
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/38
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/39
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/40
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/41
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/42
description MN-IS-TS3
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/43
description MN-IS-TS1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/44
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/45
description Nurse Call Application Server
switchport access vlan 18
spanning-tree portfast
!
interface GigabitEthernet2/0/46
description Nurse Call Web Server
switchport access vlan 18
spanning-tree portfast
!
interface GigabitEthernet2/0/47
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/48
description PACS
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
duplex full
!
interface GigabitEthernet2/0/49
!
interface GigabitEthernet2/0/50
!
interface GigabitEthernet2/0/51
!
interface GigabitEthernet2/0/52
!
interface GigabitEthernet3/0/1
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/2
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/3
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/4
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/5
description MedPark Security DVR
switchport access vlan 50
spanning-tree portfast
!
interface GigabitEthernet3/0/6
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/7
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/8
description INT-APP2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/9
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/10
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/11
description IPSTATION
switchport access vlan 17
spanning-tree portfast
interface GigabitEthernet3/0/12
description Security System
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/13
description MDF-WAP1
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-wireless
auto qos voip trust
spanning-tree bpduguard enable
!
interface GigabitEthernet3/0/14
!
interface GigabitEthernet3/0/15
description TRAININGSERVER
switchport access vlan 17
!
interface GigabitEthernet3/0/16
description HP-SCAN-13
switchport access vlan 17
!
interface GigabitEthernet3/0/17
switchport access vlan 17
!
interface GigabitEthernet3/0/18
description Trunk Link to ASA switchport 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet3/0/19
switchport access vlan 50
spanning-tree portfast disable
!
interface GigabitEthernet3/0/20
switchport access vlan 51
spanning-tree portfast disable
!
interface GigabitEthernet3/0/21
switchport access vlan 52
spanning-tree portfast disable
!
interface GigabitEthernet3/0/22
description Link to Inside Interface on Concentrator
switchport access vlan 17
spanning-tree portfast disable
!
interface GigabitEthernet3/0/23
switchport access vlan 51
!
interface GigabitEthernet3/0/24
switchport access vlan 49
!
interface GigabitEthernet3/0/25
switchport access vlan 49
!
interface GigabitEthernet3/0/26
description Cafe Firewall
switchport access vlan 48
!
interface GigabitEthernet3/0/27
description MN-IS-FSDC2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/28
description MN-IS-NAS
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/29
description MN-IS-DC1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/30
description MN-IS-TS5
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet3/0/31
switchport access vlan 17
!
interface GigabitEthernet3/0/32
description INT-APP1
switchport access vlan 17
!
interface GigabitEthernet3/0/33
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/34
description MN-IS-TS7
switchport access vlan 16
!
interface GigabitEthernet3/0/35
description CITRIXPROVISION
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/36
!
interface GigabitEthernet3/0/37
switchport access vlan 17
!
interface GigabitEthernet3/0/38
!
interface GigabitEthernet3/0/39
description FAXSERVER
switchport access vlan 17
interface GigabitEthernet3/0/40
switchport access vlan 16
!
interface GigabitEthernet3/0/41
!
interface GigabitEthernet3/0/42
!
interface GigabitEthernet3/0/43
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/44
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/45
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/46
description LAN PORT BARRACUDA
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/47
switchport access vlan 25
spanning-tree portfast
!
interface GigabitEthernet3/0/48
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet3/0/49
!
interface GigabitEthernet3/0/50
!
interface GigabitEthernet3/0/51
!
interface GigabitEthernet3/0/52
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
no ip address
!
interface Vlan16
description VLAN for Workstations
ip address 172.16.1.140 255.255.0.0 secondary
ip address 172.16.0.1 255.255.0.0
ip helper-address 172.17.2.2
ip helper-address 172.17.2.60
!
interface Vlan17
description Data VLAN
ip address 172.17.0.1 255.255.0.0
ip directed-broadcast
!
interface Vlan18
description Nurse Call VLAN
ip address 172.18.0.1 255.255.0.0
!
interface Vlan20
description Secure Wireless VLAN
ip address 172.20.0.1 255.255.0.0
ip helper-address 172.17.2.2
ip helper-address 172.17.2.60
!
interface Vlan21
description Management VLAN
ip address 172.21.0.1 255.255.255.0
!
interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in
!
interface Vlan23
description Avaya_Data
ip address 172.23.0.1 255.255.0.0
!
interface Vlan24
description Avaya_Voice
ip address 172.24.0.1 255.255.0.0
!
interface Vlan25
no ip address
!
interface Vlan28
no ip address
!
interface Vlan49
no ip address
!
interface Vlan50
description Pharmacy
no ip address
!
interface Vlan51
no ip address
!
ip default-gateway 172.17.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.0.2
ip route 10.0.2.0 255.255.255.0 172.31.0.2
ip route 10.10.30.16 255.255.255.255 172.17.0.5
ip route 10.10.35.0 255.255.255.0 172.17.0.5
ip route 10.10.40.0 255.255.255.0 172.17.0.5
ip route 63.145.63.64 255.255.255.192 172.17.0.5
ip route 63.147.62.0 255.255.255.128 172.17.0.5
ip route 172.30.0.0 255.255.0.0 172.17.0.5
ip route 172.30.1.128 255.255.255.240 172.17.0.2
ip route 172.40.3.0 255.255.255.224 172.17.0.2
ip route 172.40.3.160 255.255.255.224 172.17.0.2
ip route 192.68.49.0 255.255.255.0 172.17.0.5
ip http server
!
!
ip access-list extended VLAN_17_Restrict_ACL
description Pharmacy
no ip address
!
interface Vlan51
no ip address
!
ip default-gateway 172.17.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.0.2
ip route 10.0.2.0 255.255.255.0 172.31.0.2
ip route 10.10.30.16 255.255.255.255 172.17.0.5
ip route 10.10.35.0 255.255.255.0 172.17.0.5
ip route 10.10.40.0 255.255.255.0 172.17.0.5
ip route 63.145.63.64 255.255.255.192 172.17.0.5
ip route 63.147.62.0 255.255.255.128 172.17.0.5
ip route 172.30.0.0 255.255.0.0 172.17.0.5
ip route 172.30.1.128 255.255.255.240 172.17.0.2
ip route 172.40.3.0 255.255.255.224 172.17.0.2
ip route 172.40.3.160 255.255.255.224 172.17.0.2
ip route 192.68.49.0 255.255.255.0 172.17.0.5
ip http server
!
!
ip access-list extended VLAN_17_Restrict_ACL
permit ip 172.17.0.0 0.0.255.255 any
ip access-list extended VLAN_50_Restrict_ACL
permit ip 172.50.0.0 0.0.255.255 any
!
access-list 111 permit ip any any
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
route-map TEMP_Websense_Test permit 10
match ip address 111
set ip next-hop 172.17.0.8
!
snmp-server community avaya RO
snmp-server community avaya@es0 RO
snmp-server community himg-snmp RO
snmp-server community !neTtdw1 RW
snmp-server community !neTtdw1@es0 RW
!
control-plane
!
!
line con 0
line vty 0 4
password 7 134419173F18003D7A
login
length 0
line vty 5 15
password 7 134419173F18003D7A
login
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2009 08:44 AM
Hey its working now?!
I just tested by ping before and i couldnt get there, but if i remote in there by using dameware, i am able to access. I had a brain freeze. ICMP isnt TCP bound....sorry for that....i am in thanks to your configuration.....thank you!!!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
