cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
15
Helpful
9
Replies

Vlan access-List(?)

alsayed
Level 1
Level 1

Hello Experts!

how to configure this Requirments:

VLAN Access Control

Configure an ACL with name “ACL-V” to obtain the following requirements:-

- Deny Web Traffic from 172.16.10.0/24 to Subnet 192.168.106.0

- Permit Web Traffic from 172.16.0.0/8 to Subnet 192.168.106.0

- Permit Any Other ip traffic from your POD to Subnet 192.168.106.0

Do not Use deny Statements, use only PERMIT statements.

(192.168.106.0 is VLAN_200)

many 10xs

9 Replies 9

Collin Clark
VIP Alumni
VIP Alumni

What part are you having trouble with?

bvsnarayana03
Level 5
Level 5

You need to configure VLAN access-map to meet the mentioned requirements.

access-list 101 permit tcp 172.16.10.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 80

access-list 102 permit tcp 172.16.0.0 0.0.255.255 192.168.106.0 0.0.0.255 eq 80

vlan access-map webtraffic seq 10

match ip address 101

action drop

vlan access-map webtraffic seq 20

match ip address 102

action forward

vlan filter webtraffic vlan-list 200

Please note I didnt create an acl for your 3rd statement bcoz I couldnt understand.

This should suffice your requirement of creating an acl with all permits statements & still denying traffic.

hope that clarifies.

pls rate all helpful posts.

hi

you need to permit Ip Traffic to 192.168.106.0 Also

any Help

Hi Ali,

I will recommend you to have a look at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1600210

If after going through this you are not able to configure the ACL as per your reuiqrement me or someone on this forum will answer your last part.

HTH

Ankur

Hi Ankur

10xs a lot

Ankur does the Config provided by bvsnarayana03 Wrong?

HI

Permit Any Other ip traffic from your Rack to Subnet 192.168.106.0

any other Traffic to any where rather then the port 80

does this entry work:

ip access-list standard ALI

PERMit 172.16.0.0 0.0.255.255

vlan access-map filter 10

match ip address ALI

action drop

vlan access-map filter 20

match ip address ALI

action FW

vlan filter Filter vlan-list 199

Does it work?

10xs

Hi Ali,

I was bit confused with your ACL. You have matched same ACL in filter 10 and 20 and in filter 10 the action is DROP and in filter 20 the action is FWD for same ACL only. The check will work on first ACL and it will not come to second filter so the result will always be drop if source is 172.16.0.0/16

Can you please confirm once again what rules you are looking for?

Regards,

Ankur

This wouldn't accomplish what you need, since this map drops (denies) the traffic that you should allow through.

You need to drop only the /24 subnet, not the /16 one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: