I have created a VLAN that will house our printers.
The VLAN is served by two c3750 switches running HSRP.
I want to filter traffic on the VLAN interface to allow only a specific network and host to have full access to the VLAN, but allow everyone else to ping.
Ive created an extended IP access list as follows:
ip access-list extended printeraccess
permit ip 10.1.1.0 0.0.0.255 any
permit ip host 10.0.14.158 any
permit icmp any any
I then apply this with an access map as follows:
vlan access-map printer 10
match ip address printeraccess
vlan filter printer vlan-list 106
This all works fine, except HSRP is now blocked, and OSPF also.
I add the following line to the access-list to allow HSRP:
permit udp any any eq 1985
After this the HSRP cluster comes back to life, but no other communication is allowed over the VLAN - not even the ICMP.
As soon as I remove this statement again, ICMP and IP access starts working but the HSRP cluster falls over.
I will eventually need to add permit ospf any any. But I wanted to get this sorted first.