cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


92
Views
5
Helpful
3
Replies
Beginner

VLAN ACL stops all the traffic

Dear All,

 

I have been working on VACL to limit access to servers to specific users, but when i applied this all the traffic from that vlan got stopped. What should i do so that rest of the traffic flows normally? Here is my configuration and the server ip's are 192.168.8.178, 192.168.10.49, 192.168.11.13, 192.168.11.14 and the users ip's are defined as per below configuration. I have this one big subnet 192.168.8.1/21 in my network and have to accomplish this task. Need help in this regard.

 

Thanks & Regards,

Talha

 

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135

access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216

access-list 101 permit ip host 192.168.8.178 host 192.168.11.69
access-list 101 permit ip host 192.168.10.49 host 192.168.11.69
access-list 101 permit ip host 192.168.11.13 host 192.168.11.69
access-list 101 permit ip host 192.168.11.14 host 192.168.11.69

access-list 101 permit ip host 192.168.8.178 host 192.168.12.77
access-list 101 permit ip host 192.168.10.49 host 192.168.12.77
access-list 101 permit ip host 192.168.11.13 host 192.168.12.77
access-list 101 permit ip host 192.168.11.14 host 192.168.12.77

access-list 101 permit ip host 192.168.8.178 host 192.168.8.6
access-list 101 permit ip host 192.168.10.49 host 192.168.8.6
access-list 101 permit ip host 192.168.11.13 host 192.168.8.6
access-list 101 permit ip host 192.168.11.14 host 192.168.8.6

access-list 101 permit ip host 192.168.8.178 host 192.168.10.102
access-list 101 permit ip host 192.168.10.49 host 192.168.10.102
access-list 101 permit ip host 192.168.11.13 host 192.168.10.102
access-list 101 permit ip host 192.168.11.14 host 192.168.10.102

access-list 101 permit ip host 192.168.8.178 host 192.168.12.147
access-list 101 permit ip host 192.168.10.49 host 192.168.12.147
access-list 101 permit ip host 192.168.11.13 host 192.168.12.147
access-list 101 permit ip host 192.168.11.14 host 192.168.12.147

access-list 101 permit ip host 192.168.8.178 host 192.168.10.159
access-list 101 permit ip host 192.168.10.49 host 192.168.10.159
access-list 101 permit ip host 192.168.11.13 host 192.168.10.159
access-list 101 permit ip host 192.168.11.14 host 192.168.10.159

access-list 101 permit ip host 192.168.8.178 host 192.168.10.100
access-list 101 permit ip host 192.168.10.49 host 192.168.10.100
access-list 101 permit ip host 192.168.11.13 host 192.168.10.100
access-list 101 permit ip host 192.168.11.14 host 192.168.10.100

access-list 101 permit ip host 192.168.8.178 host 192.168.9.42
access-list 101 permit ip host 192.168.10.49 host 192.168.9.42
access-list 101 permit ip host 192.168.11.13 host 192.168.9.42
access-list 101 permit ip host 192.168.11.14 host 192.168.9.42

access-list 101 permit ip host 192.168.8.178 host 192.168.8.94
access-list 101 permit ip host 192.168.10.49 host 192.168.8.94
access-list 101 permit ip host 192.168.11.13 host 192.168.8.94
access-list 101 permit ip host 192.168.11.14 host 192.168.8.94

 

3750(conf)#vlan access-map SERVER_ACCESS 10
3750(config-access-map)#match ip address 101
3750(config-access-map)#action forward
3750(conf)#vlan access-map SERVER_ACCESS 20
3750(config-access-map)#action drop
3750(conf)#vlan filter SERVER_ACCESS vlan-list 1

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: VLAN ACL stops all the traffic

Hello,

 

you need to deny access to all other IP addresses to the hosts, and then permit everything else. Cut and paste the access list below. Then delete the drop statement and make sure just the forward is in your config:

 

3750(conf)#vlan access-map SERVER_ACCESS 10
3750(config-access-map)#match ip address 101
3750(config-access-map)#action forward

3750(config-access-map)#exit

3750(config)#vlan-filter SERVER_ACCESS vlan-list 1

 

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135

access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216

access-list 101 permit ip host 192.168.8.178 host 192.168.11.69
access-list 101 permit ip host 192.168.10.49 host 192.168.11.69
access-list 101 permit ip host 192.168.11.13 host 192.168.11.69
access-list 101 permit ip host 192.168.11.14 host 192.168.11.69

access-list 101 permit ip host 192.168.8.178 host 192.168.12.77
access-list 101 permit ip host 192.168.10.49 host 192.168.12.77
access-list 101 permit ip host 192.168.11.13 host 192.168.12.77
access-list 101 permit ip host 192.168.11.14 host 192.168.12.77

access-list 101 permit ip host 192.168.8.178 host 192.168.8.6
access-list 101 permit ip host 192.168.10.49 host 192.168.8.6
access-list 101 permit ip host 192.168.11.13 host 192.168.8.6
access-list 101 permit ip host 192.168.11.14 host 192.168.8.6

access-list 101 permit ip host 192.168.8.178 host 192.168.10.102
access-list 101 permit ip host 192.168.10.49 host 192.168.10.102
access-list 101 permit ip host 192.168.11.13 host 192.168.10.102
access-list 101 permit ip host 192.168.11.14 host 192.168.10.102

access-list 101 permit ip host 192.168.8.178 host 192.168.12.147
access-list 101 permit ip host 192.168.10.49 host 192.168.12.147
access-list 101 permit ip host 192.168.11.13 host 192.168.12.147
access-list 101 permit ip host 192.168.11.14 host 192.168.12.147

access-list 101 permit ip host 192.168.8.178 host 192.168.10.159
access-list 101 permit ip host 192.168.10.49 host 192.168.10.159
access-list 101 permit ip host 192.168.11.13 host 192.168.10.159
access-list 101 permit ip host 192.168.11.14 host 192.168.10.159

access-list 101 permit ip host 192.168.8.178 host 192.168.10.100
access-list 101 permit ip host 192.168.10.49 host 192.168.10.100
access-list 101 permit ip host 192.168.11.13 host 192.168.10.100
access-list 101 permit ip host 192.168.11.14 host 192.168.10.100

access-list 101 permit ip host 192.168.8.178 host 192.168.9.42
access-list 101 permit ip host 192.168.10.49 host 192.168.9.42
access-list 101 permit ip host 192.168.11.13 host 192.168.9.42
access-list 101 permit ip host 192.168.11.14 host 192.168.9.42

access-list 101 permit ip host 192.168.8.178 host 192.168.8.94
access-list 101 permit ip host 192.168.10.49 host 192.168.8.94
access-list 101 permit ip host 192.168.11.13 host 192.168.8.94
access-list 101 permit ip host 192.168.11.14 host 192.168.8.94

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 permit ip 192.168.8.0 0.0.7.255 any

 

3 REPLIES
VIP Mentor

Re: VLAN ACL stops all the traffic

Hello,

 

you need to deny access to all other IP addresses to the hosts, and then permit everything else. Cut and paste the access list below. Then delete the drop statement and make sure just the forward is in your config:

 

3750(conf)#vlan access-map SERVER_ACCESS 10
3750(config-access-map)#match ip address 101
3750(config-access-map)#action forward

3750(config-access-map)#exit

3750(config)#vlan-filter SERVER_ACCESS vlan-list 1

 

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135

access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216

access-list 101 permit ip host 192.168.8.178 host 192.168.11.69
access-list 101 permit ip host 192.168.10.49 host 192.168.11.69
access-list 101 permit ip host 192.168.11.13 host 192.168.11.69
access-list 101 permit ip host 192.168.11.14 host 192.168.11.69

access-list 101 permit ip host 192.168.8.178 host 192.168.12.77
access-list 101 permit ip host 192.168.10.49 host 192.168.12.77
access-list 101 permit ip host 192.168.11.13 host 192.168.12.77
access-list 101 permit ip host 192.168.11.14 host 192.168.12.77

access-list 101 permit ip host 192.168.8.178 host 192.168.8.6
access-list 101 permit ip host 192.168.10.49 host 192.168.8.6
access-list 101 permit ip host 192.168.11.13 host 192.168.8.6
access-list 101 permit ip host 192.168.11.14 host 192.168.8.6

access-list 101 permit ip host 192.168.8.178 host 192.168.10.102
access-list 101 permit ip host 192.168.10.49 host 192.168.10.102
access-list 101 permit ip host 192.168.11.13 host 192.168.10.102
access-list 101 permit ip host 192.168.11.14 host 192.168.10.102

access-list 101 permit ip host 192.168.8.178 host 192.168.12.147
access-list 101 permit ip host 192.168.10.49 host 192.168.12.147
access-list 101 permit ip host 192.168.11.13 host 192.168.12.147
access-list 101 permit ip host 192.168.11.14 host 192.168.12.147

access-list 101 permit ip host 192.168.8.178 host 192.168.10.159
access-list 101 permit ip host 192.168.10.49 host 192.168.10.159
access-list 101 permit ip host 192.168.11.13 host 192.168.10.159
access-list 101 permit ip host 192.168.11.14 host 192.168.10.159

access-list 101 permit ip host 192.168.8.178 host 192.168.10.100
access-list 101 permit ip host 192.168.10.49 host 192.168.10.100
access-list 101 permit ip host 192.168.11.13 host 192.168.10.100
access-list 101 permit ip host 192.168.11.14 host 192.168.10.100

access-list 101 permit ip host 192.168.8.178 host 192.168.9.42
access-list 101 permit ip host 192.168.10.49 host 192.168.9.42
access-list 101 permit ip host 192.168.11.13 host 192.168.9.42
access-list 101 permit ip host 192.168.11.14 host 192.168.9.42

access-list 101 permit ip host 192.168.8.178 host 192.168.8.94
access-list 101 permit ip host 192.168.10.49 host 192.168.8.94
access-list 101 permit ip host 192.168.11.13 host 192.168.8.94
access-list 101 permit ip host 192.168.11.14 host 192.168.8.94

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.135

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.216

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.11.69

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.77

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.6

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.102

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.12.147

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.159

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.10.100

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.9.42

access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 deny ip 192.168.8.0 0.0.7.255 host 192.168.8.94
access-list 101 permit ip 192.168.8.0 0.0.7.255 any

 

Highlighted
Beginner

Re: VLAN ACL stops all the traffic

Thank you so much Georg pauwen for the help i was so confused on how i allow all these people access to the servers and stops all the rest. Thanks a lot for the help.

 

Regards,

Talha

Beginner

Re: VLAN ACL stops all the traffic

With these ACL statement my host having ip 192.168.10.135 can communicate with server on 192.168.11.13 ?? These acl's has made me so much confused.

 

Regards,

Talha

CreatePlease to create content
Content for Community-Ad
Blog-Cisco Community Designated VIP Class of 2019