Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
5
Replies

VLAN ACL not working

Go to solution
radarbackwards
Level 1
Level 1

‎07-11-2013 11:00 AM - edited ‎03-07-2019 02:21 PM

i want to block everything vlan 210 from accessing vlan 250 and vice versa but it doesnt work

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

vlan access-map VLAN250MAP 250

action forward

match ip address ALLOW_VLAN250

vlan access-map VLAN250MAP 210

action drop

match ip address BLOCK_VLAN210

!

vlan filter VLAN250MAP vlan-list 210

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pille1234
Level 3
Level 3
In response to radarbackwards

‎07-11-2013 02:17 PM

Try this:

VLAN 210: 1.1.1.0/24

VLAN 250 2.2.2.0/24

ip access-list extended VLAN-FILTER

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended ANY-TRAFFIC

permit ip any any

vlan access-map VLAN-FILTER-210 10

match ip address VLAN-FILTER

action drop log

vlan access-map VLAN-FILTER-210 20

match ip address ANY-TRAFFIC

action forward

vlan filter VLAN-FILTER-210 vlan-list  210

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ALIAOF_
Level 6
Level 6

‎07-11-2013 11:53 AM

I have done something like this but just using ACL's and then applying to the VLAN interface "in"

Can you paste the ip access list in here too?

0 Helpful

Go to solution
radarbackwards
Level 1
Level 1
In response to ALIAOF_

‎07-11-2013 12:18 PM

this is the only ACL

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

0 Helpful

Go to solution
fb_webuser
Level 6
Level 6

‎07-11-2013 12:36 PM

Hi, you might want to add VLAN250 in your filter list. VACL does work on only one direction as we have tried this on some of our call recording packet captures. Also, why do you have to go all the way down to VACL level if you can have it blocked on the L3 port/VLAN side? Just a thought.

---

Posted by WebUser John Patrick Lopez from Cisco Support Community App

0 Helpful

Go to solution
radarbackwards
Level 1
Level 1
In response to fb_webuser

‎07-11-2013 01:41 PM

hi John,

I already added 250 on my filter list - but it still aint working, i want to go down to the VACL level because it is a requirement for compliance we are working right now

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

vlan access-map VLAN250MAP 250

action forward

match ip address ALLOW_VLAN250

vlan access-map VLAN250MAP 210

action drop

match ip address BLOCK_VLAN210

!

vlan filter VLAN250MAP vlan-list 210

vlan filter VLAN210MAP vlan-list 250

0 Helpful

Go to solution
pille1234
Level 3
Level 3
In response to radarbackwards

‎07-11-2013 02:17 PM

Try this:

VLAN 210: 1.1.1.0/24

VLAN 250 2.2.2.0/24

ip access-list extended VLAN-FILTER

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended ANY-TRAFFIC

permit ip any any

vlan access-map VLAN-FILTER-210 10

match ip address VLAN-FILTER

action drop log

vlan access-map VLAN-FILTER-210 20

match ip address ANY-TRAFFIC

action forward

vlan filter VLAN-FILTER-210 vlan-list  210

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card