Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
2
Helpful
5
Replies

vlan access-map match ip address problem

BAT MGL
Level 1
Level 1

‎05-29-2023 11:02 PM

Hi,

I am trying to create a VACL, which allows only 10.116.14.0/26 IP addresses in vlan 422, but after I configure VACL, a client with IP address 10.116.14.2/26 stops pinging its gateway 10.116.14.1/26. It was pinging the gateway before I configure VACL.

L3 switch is C3550 (c3550-ipservicesk9-mz.122-46.SE)

interface FastEthernet0/22
   switchport trunk encapsulation dot1q
   switchport mode trunk
   switchport nonegotiate

interface Vlan422
   ip address 10.116.14.1 255.255.255.192

vlan access-map IP422 10
   action forward
   match ip address 28
vlan access-map IP422 20
   action drop

vlan filter IP422 vlan-list 422

access-list 28 permit 10.116.14.0 0.0.0.63

The client is connected to a C2960X (c2960x-universalk9-mz.152-6.E).

interface GigabitEthernet1/0/1
   switchport access vlan 422
   switchport mode access
   spanning-tree portfast edge

interface GigabitEthernet1/0/24
   switchport mode trunk
   switchport nonegotiate

If I remove match ip address 28 from vlan access map, the client starts to ping again. I suspect that something is wrong with the access-list, but I cannot find anything wrong.

Could someone tell me what am I missing, please?

 

Thanks,

BAT

 

 

Labels:
5 Replies 5

Flavio Miranda
VIP
VIP

‎05-29-2023 11:11 PM

Hi

 The syntax of this acl seems weird.

Did you try something like?

Or maybe specify the origem.

access-list 28 permit ip any  10.116.14.0 0.0.0.63

BAT MGL
Level 1
Level 1
In response to Flavio Miranda

‎05-30-2023 12:38 AM

I tried standard ACL, extended ACL. All the same, the client can't ping the gateway.

vlan access-map IP422 10
action forward
match ip address 128   <--- or 129
vlan access-map IP422 20
action drop

access-list 128 permit ip any 10.116.14.0 0.0.0.63

access-list 129 permit ip 10.116.14.0 0.0.0.63 any

 

 

0 Helpful

M02@rt37
VIP
VIP

‎05-29-2023 11:11 PM - edited ‎05-29-2023 11:21 PM

Hello @BAT MGL,

you need to modify your access-list and access-map configuration.

interface Vlan422
ip address 10.116.14.1 255.255.255.192
vlan access-map IP422 10
action drop
match ip address 28
vlan access-map IP422 20
action forward

vlan filter IP422 vlan-list 422

access-list 28 permit 10.116.14.0 0.0.0.63
access-list 28 deny any

--Action of access-map sequence 10 to "drop" and access-map sequence 20 to "forward". This way, traffic from the specified IP range (10.116.14.0/26) will be dropped, while other traffic will be forwarded.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

BAT MGL
Level 1
Level 1
In response to M02@rt37

‎05-30-2023 12:05 AM

But I want traffic from 10.116.14.0/26 IPs to be forwarded, and all other traffic to be dropped. Your suggestion is exactly the opposite from what I want

0 Helpful

MHM Cisco World
VIP
VIP
In response to BAT MGL

‎05-30-2023 04:27 AM

access-list 128 permit ip <GW IP > 10.116.14.0 0.0.0.63

access-list 129 permit ip 10.116.14.0 0.0.0.63 <GW IP>

try this way 

0 Helpful
Customers Also Viewed These Support Documents