Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


VLAN Access List

Hi to all.

I have following situation. One PC from  specific VLAN in HQ needs access to devices on 200 locations which are  on non-contiguous network (so I can't use network summarization in ACL).  Also, that PC use many different ports to access that devices, so I  can't use TCP port restrictions in ACL either. But, all  devices that  are on locations are marked with DSCP AF41 when traffic is destined to  that PC in HQ, so my idea is to restrict traffic using ACL with DSCP.  Goal is that all devices on locations are limited to communicate only  with PC in HQ, and PC in HQ needs to be limited to communicate only with  devices on remote locations. I need to restrict that PC to access other  VLANs on the same ML switch, other networks on HQ, etc.

So, to make this clearer, here is network and ACL:

Remote location's device IP:

policy-map MARKING
  set dscp af41

class-map match-any RESTRICT
match access-group name QoS-restrict

ip access-list extended QoS-restrict
permit ip any host



|  Tunnel



Multilayer switch:

Interface VLAN90

ip access-group restrict-in out

ip access list extended restrict-in

10 permit ip any host dscp af41

20 deny ip any any

With this configuration access to VLAN90 from other VLANs on multilayer switch is impossible, and access from is successful, so this part is ok. But, when I initiate traffic from VLAN90 to, ie, some address on VLAN10 on ML switch it is ALLOWED. I am 100% sure that that initiated traffic does not have any DSCP values. Why ACL does not block incoming traffic without AF41 coming to VLAN? If answer is "but that traffic is initiated from VLAN90 and ACL treats that traffic as 'established' so it is permitted", how can I solve this?

Sorry for long post, but I am just tried to clarify issue as much as possible.

Thanks to all with constructive hints....

Everyone's tags (6)
CreatePlease to create content
Content for Community-Ad