cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
0
Helpful
5
Replies

VLAN ACL not working

radarbackwards
Level 1
Level 1

i want to block everything vlan 210 from accessing vlan 250 and vice versa but it doesnt work

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

vlan access-map VLAN250MAP 250

action forward

match ip address ALLOW_VLAN250

vlan access-map VLAN250MAP 210

action drop

match ip address BLOCK_VLAN210

!

vlan filter VLAN250MAP vlan-list 210

1 Accepted Solution

Accepted Solutions

Try this:

VLAN 210: 1.1.1.0/24

VLAN 250 2.2.2.0/24

ip access-list extended VLAN-FILTER

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended ANY-TRAFFIC

permit ip any any

vlan access-map VLAN-FILTER-210 10

match ip address VLAN-FILTER

action drop log

vlan access-map VLAN-FILTER-210 20

match ip address ANY-TRAFFIC

action forward

vlan filter VLAN-FILTER-210 vlan-list  210

View solution in original post

5 Replies 5

ALIAOF_
Level 6
Level 6

I have done something like this but just using ACL's and then applying to the VLAN interface "in"

Can you paste the ip access list in here too?

this is the only ACL

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

fb_webuser
Level 6
Level 6

Hi, you might want to add VLAN250 in your filter list. VACL does work on only one direction as we have tried this on some of our call recording packet captures. Also, why do you have to go all the way down to VACL level if you can have it blocked on the L3 port/VLAN side? Just a thought.

---

Posted by WebUser John Patrick Lopez from Cisco Support Community App

hi John,

I already added 250 on my filter list - but it still aint working, i want to go down to the VACL level because it is a requirement for compliance we are working right now

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

vlan access-map VLAN250MAP 250

action forward

match ip address ALLOW_VLAN250

vlan access-map VLAN250MAP 210

action drop

match ip address BLOCK_VLAN210

!

vlan filter VLAN250MAP vlan-list 210

vlan filter VLAN210MAP vlan-list 250

Try this:

VLAN 210: 1.1.1.0/24

VLAN 250 2.2.2.0/24

ip access-list extended VLAN-FILTER

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended ANY-TRAFFIC

permit ip any any

vlan access-map VLAN-FILTER-210 10

match ip address VLAN-FILTER

action drop log

vlan access-map VLAN-FILTER-210 20

match ip address ANY-TRAFFIC

action forward

vlan filter VLAN-FILTER-210 vlan-list  210

Review Cisco Networking for a $25 gift card