Showing results for 
Search instead for 
Did you mean: 

VLAN Filtering

I've done a few route maps before and the logic is pretty much the same.  I just can't figure this one out.

It's probably not the best solution, but it is what I have to work with.  I would like to configure a guest vlan on our network and only allow access for DHCP, DNS, and Web.  I'm attempting to use a VLAN filter along with a L3 ACL on the L3 VLAN.  My L3 ACL seems to work fine.  I've been able to block access to the other internal subnets.  I would like users of this subnet to be able to ping the gateway and to traceroute to the Internet.  I'm not sure why I care, but I would also like to block all communication from user to user within the same guest vlan.  I've created the following ACL and VLAN access-map, but I'm still able to ping hosts on the same guest network and am also able to open a share on another host. 

I'm intentionally not matching the deny statements since the action is to drop.  Then, I want to drop the permit statements.  With this configuration, I can pull DHCP, DNS, and surf the web.  I have tested this functionality by adjusting those rules back to permit.  When I do that it breaks DHCP, DNS, and web.  The only piece that is not working is to block communication between hosts on the same guest vlan.  Any ideas?         

vlan access-map map982 10

action drop

match ip address acl982

vlan access-map map982 20

action forward

match ip address aclMatchAll


vlan filter map982 vlan-list 982

ip access-list extended acl982

deny   icmp any host unreachable

deny   icmp any host time-exceeded

deny   icmp any host echo-reply

deny   icmp any host echo

deny   icmp host any echo

deny   icmp host any echo-reply

deny   icmp host any time-exceeded

deny   icmp host any unreachable

deny   udp host eq bootpc host eq bootps

deny   udp host eq bootps any eq bootpc

deny   udp host eq domain

permit ip

permit ip

permit ip

permit ip

Thanks all.

Everyone's tags (2)

VLAN Filtering

Hi I'm a little rusty on ACLs but my understanding was that you normally need an implicit deny ip any at the bottom of the ACL. sorry if this suggestion is a silly one

Hope this helps!


CreatePlease to create content
Content for Community-Ad