ACL question

Unanswered Question
Feb 22nd, 2007

we have 2 3750 switches that do not have VTP running on them. one has 4 VLANs configured on it. the vlans talk to eachother via ACLs in the switch. now I need to install another 3750 switch with basically the same senario. I have tried getting vlans 1 and 301 to talk to each other via ACLs on the switch. but the problem I keep running into is I can either shutdown ALL of the traffic or open the flood gates.

I have ip routing enabled. and trunking is enabled and vlan 301 is being trunked.

Do I need VTP running? FYI...the other switch that's supporting VLANs doesn't have it running.

the IP in 301 that needs to be seen from any IP vlan 1 is

any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
purohit_810 Thu, 02/22/2007 - 14:29

In one hand you are telling NOT VTP Running and One another hand you are telling

" I have ip routing enabled. and trunking is enabled and vlan 301 is being trunked "

mean something missing?

See, what should we do.


2 Switches, configure one switch with 4 VLAN.

another switch configure with 1 and 301 Vlan ID.

Now, when you configure trunk between both of them... only alow VLAN 1 and 301. Only that two VLAN traffic will come on second switch. No need to do anything.

command: switchport mode trunk allow vlan 1,301


Second Solution:

1) Configure one VTP domain.

2) Configure one switch as a VTP server and another as a VTP Client.

3) Now put access-list between both of them.

If any queries or not able to understand. Please let me know.


Dharmesh Purohit

garyrivers Thu, 02/22/2007 - 14:40

I screwed up....

Let me clairify myself. the new switch will contain 3 vlans, well 4 including vlan 1.

all will need to talk to eachother but not to the rest of the network. EXCEPT maybe one or two.

I mentioned enabling VTP only for the fact that I'm not sure of the results of enabling VTP on the new switch and NOT on the older switch.

I know I'm missing an easy step but for the life of me, I cannot see it.

thanks, gary

sachinraja Thu, 02/22/2007 - 17:00

Hello Gary,

Where is the Layer 3 routing done ? on the Core ? If so, you need to configure VACL (VLAN ACL) to restrict traffic through VLANs... Its just like a normal layer 3 access-list.. permit all the networks which needs access and deny the rest... you need to apply this onto your VLAN interface...

VTP is basically required to propogate VLAN information between the core and the edge switches.. it has nothing to do with data transport or routing... If you do not have VTP running, you need to manually add all the VLANs on your new 3750 switch and trunk the traffic to the core.. this will make things work for you...

Hope this helps.. all the best..


garyrivers Fri, 02/23/2007 - 06:29

we are putting the ACLs on the switch.

I did apply the ACL to the vlan 301 interface.

about VTP...Well, I didn't think it was a factor but then again I wasn't counting anything out.

Manually adding vlans to the switch won't be a big deal.

thanks for your help.


This Discussion