01-07-2008 07:19 AM - edited 03-07-2019 12:27 AM
Hello Experts!
how to configure this Requirments:
VLAN Access Control
Configure an ACL with name âACL-Vâ to obtain the following requirements:-
- Deny Web Traffic from 172.16.10.0/24 to Subnet 192.168.106.0
- Permit Web Traffic from 172.16.0.0/8 to Subnet 192.168.106.0
- Permit Any Other ip traffic from your POD to Subnet 192.168.106.0
Do not Use deny Statements, use only PERMIT statements.
(192.168.106.0 is VLAN_200)
many 10xs
01-07-2008 07:35 AM
What part are you having trouble with?
01-07-2008 07:40 AM
You need to configure VLAN access-map to meet the mentioned requirements.
access-list 101 permit tcp 172.16.10.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 80
access-list 102 permit tcp 172.16.0.0 0.0.255.255 192.168.106.0 0.0.0.255 eq 80
vlan access-map webtraffic seq 10
match ip address 101
action drop
vlan access-map webtraffic seq 20
match ip address 102
action forward
vlan filter webtraffic vlan-list 200
Please note I didnt create an acl for your 3rd statement bcoz I couldnt understand.
This should suffice your requirement of creating an acl with all permits statements & still denying traffic.
hope that clarifies.
pls rate all helpful posts.
01-07-2008 08:11 AM
hi
you need to permit Ip Traffic to 192.168.106.0 Also
any Help
01-07-2008 09:03 AM
Hi Ali,
I will recommend you to have a look at this link
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1600210
If after going through this you are not able to configure the ACL as per your reuiqrement me or someone on this forum will answer your last part.
HTH
Ankur
01-07-2008 09:44 AM
Hi Ankur
10xs a lot
01-07-2008 09:45 AM
Ankur does the Config provided by bvsnarayana03 Wrong?
01-08-2008 12:19 PM
HI
Permit Any Other ip traffic from your Rack to Subnet 192.168.106.0
any other Traffic to any where rather then the port 80
does this entry work:
ip access-list standard ALI
PERMit 172.16.0.0 0.0.255.255
vlan access-map filter 10
match ip address ALI
action drop
vlan access-map filter 20
match ip address ALI
action FW
vlan filter Filter vlan-list 199
Does it work?
10xs
01-08-2008 07:57 PM
Hi Ali,
I was bit confused with your ACL. You have matched same ACL in filter 10 and 20 and in filter 10 the action is DROP and in filter 20 the action is FWD for same ACL only. The check will work on first ACL and it will not come to second filter so the result will always be drop if source is 172.16.0.0/16
Can you please confirm once again what rules you are looking for?
Regards,
Ankur
01-09-2008 12:33 AM
This wouldn't accomplish what you need, since this map drops (denies) the traffic that you should allow through.
You need to drop only the /24 subnet, not the /16 one.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: