07-13-2013 05:08 PM - edited 03-07-2019 02:23 PM
Scenario is :
vlan 210 must not access vlan 250
vlan 210 can access other vlans - 200, 914 and vlan 68
i tried to permit the addresses of the 3 vlan - 200,914 and 68 on vlan 210 filter, but what happened is it cant also access the 3 other vlan eventhough it is permitted
vlan 200 - 192.168.200.0
vlan 91 - 192.168.91.0
vlan 68 - 192.168.68.252
ip access-list extended VLAN-FILTER210
permit ip 192.168.210.0 0.0.0.255 192.168.250.0 0.0.0.255
ip access-list extended TRAFFIC-200-914-68
permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255 <------- Network Address of VLAN 200
permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255 <------- Network Address of VLAN 91
permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3 <------- Network Address of VLAN 68
vlan access-map VLAN-FILTER-210 20
match ip address VLAN-FILTER210
action drop
vlan access-map VLAN-FILTER-210 10
match ip address TRAFFIC-200-914-68
action forward
vlan filter VLAN-FILTER-210 vlan-list 210
what did I do wrong?
Solved! Go to Solution.
07-15-2013 02:31 PM
Hi,
Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.
Regards
Alain
Don't forget to rate helpful posts.
07-14-2013 12:26 AM
It seems your config is OK. Could you please post the result of "show vlan filter" "show vlan access-map" "show vlan access-list" ?
07-14-2013 12:32 AM
CORE_SWC#sho vlan access-map
Vlan access-map "VLAN-FILTER-210" 10
Match clauses:
ip address: TRAFFIC-200-914-68
Action:
forward
Vlan access-map "VLAN-FILTER-210" 20
Match clauses:
ip address: VLAN-FILTER210
Action:
drop
VLAN Map VLAN-FILTER-210 is filtering VLANs:
210
07-15-2013 02:24 PM
and 1 more thing guys
I replace the network addresses with
ip access-list extended TRAFFIC-200-914-68
permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255 <------- Network Address of VLAN 200
permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255 <------- Network Address of VLAN 91
permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3 <------- Network Address of VLAN 68
permit ip any any
and now it can ping other network addresses, how do i allow network addresses specifically? i tried to specifically add the said network addresses but it wont do, i dont know what did i do wrong
07-15-2013 02:31 PM
Hi,
Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.
Regards
Alain
Don't forget to rate helpful posts.
07-15-2013 02:37 PM
hi cadet, thanks for the enlightenment, for clarification, i can use VACL if i want to block the telnet/rdp on the whole vlan 200 network right?
07-15-2013 02:41 PM
Hi,
Yes you can use a VACL to filter traffic between hosts in the same VLAN.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide