03-19-2018 08:01 AM - edited 03-08-2019 02:19 PM
Hi there
I'm new to this forum. I have a problem with VLANs. We have a Cat4500 L3 switch configured with different vlans. Now we need to configure a new vlan for Projectors and we want only certain vlans to access this new Projectors vlan. For example, let's call this Projectors vlan as vlan 10 and existing vlans as 5,6,7 & 8. We want only only 5,6,7,& 8 vlans to access vlan 10. Someone told me to use VACL which I have no idea about. Can anyone guide me. Thanks in advance.
Regards
03-19-2018 09:47 AM
Hi,
I am in confuse with your comment "For example, let's call this Projectors vlan as vlan 10 and existing vlans as 5,6,7 & 8. We want only only 5,6,7,& 8 vlans to access vlan 10."
According to your comment, All VLANs are allowed to communicate with VLAN 10. May I didn't get your point or there is a typo.
I am sharing some good posts about VACL and configuration examples. Please read and apply the same.
http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
Regards,
Deepak Kumar
03-19-2018 10:17 AM
Hi Deepak
Thanks for the reply. I'll look into the links. My comment is, there are 10 Vlans (say vlan 2,3,4,5,6,7,8,9,11,12) currently exist and I'm going to create a new vlan for projectors (vlan 10). I want only 5,6,7,& 8 vlans to be able to access vlan 10 and not other vlans. Means only the users in these 5,6,7,& 8 vlan should able to access the vlan 10 and not others. Hope this clarified. Thanks in advance.
Regards
03-19-2018 12:00 PM
04-10-2018 04:22 AM
Hi Deepak
Apologies for the delay as i was on holiday. I followed the guide from the link and tried in my simulator. Looks like it is not working. Please see the core switch config below and the attached test network diagram. WHat I'm looking to achieve is VLAN7 (in RED) should not be able to access VLAN10 (in Green). But all other VLANs should access.
Core#sh run
Building configuration...
Current configuration : 2648 bytes
!
Version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Core
!
!
!
!
ip subnet-zero
!
ip cef
no ip domain-lookup
spanning-tree mode pvst
ip routing
spanning-tree extend system-id
!
vlan access-map test 100
match ip address test
action drop
vlan filter test vlan-list 7
!
!
!
!
!
!
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
switchport trunk encapsulation dot1q
!
interface FastEthernet1/0/23
switchport trunk encapsulation dot1q
!
interface FastEthernet1/0/24
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
!
interface Vlan 1
ip address 172.25.175.254 255.255.255.192
no ip route-cache
!
interface Vlan0003
ip address 172.16.143.126 255.255.255.128
no ip route-cache
!
interface Vlan0005
ip address 172.16.143.222 255.255.255.240
no ip route-cache
!
interface Vlan0007
ip address 172.16.143.190 255.255.255.192
no ip route-cache
!
interface Vlan0009
ip address 172.16.143.254 255.255.255.224
no ip route-cache
!
interface Vlan0010
ip address 172.25.172.126 255.255.255.128
no ip route-cache
!
interface Vlan0203
ip address 172.25.173.254 255.255.255.0
no ip route-cache
!
interface Vlan0204
ip address 172.25.174.254 255.255.255.0
no ip route-cache
!
vlan 3 name WIRELESS_EMPLOYEES
vlan 5 name WIRELESS_GUESTS
vlan 7 name WIRELESS_SCANNERS
vlan 9 name WIRELESS_MANAGEMENT
vlan 10 name PROJECTORS
vlan 203 name DHCP_OFFICE
vlan 204 name DHCP_WORKSHOP
!
!
!
ip classless
no ip http server
!
ip access-list extended TEST
permit ip 172.25.174.0 0.0.0.255 172.25.172.0 0.0.0.127
permit ip 172.25.173.0 0.0.0.255 172.25.172.0 0.0.0.127
permit ip 172.16.143.208 0.0.0.15 172.25.172.0 0.0.0.127
permit ip 172.16.143.0 0.0.0.127 172.25.172.0 0.0.0.127
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
no scheduler allocate
end
Please suggest if any changes to be done.
Regards
Adi
04-10-2018 05:18 AM
Hi,
Change your configuration as below:
ip access-list extended TEST
permit IP 172.16.143.128 0.0.0.63 172.25.172.0 0.0.0.127
permit IP 172.25.172.0 0.0.0.127 172.16.143.128 0.0.0.63
!
!
vlan access-map test 100
match ip address test
action drop
exit
!
vlan access-map test 101
action forward
exit
!
vlan filter test vlan-list 7
Regards,
Deepak Kumar
03-19-2018 01:02 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide