Access-List on Catalyst 65xx series

Answered Question
May 21st, 2008

I have one 6509 core switch and two 6506 switches interconnected via port channel and all in the same building. They are all on one vlan. I wish to restrict access to one particular ip adress from all but two machines. I'm not sure access-list are the answer. VACL's may be the answer. Am I on the right track?

I have this problem too.
0 votes
Correct Answer by Collin Clark about 8 years 5 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
coulbournc Wed, 05/21/2008 - 11:01

I'm going nowhere fast on this one. I reviewed the docs and figured I'd create a management vlan instead. I added a vlan to all three switches and asigned ip addresses to the vlan interface on each switch. I beleive I can create vacl entries to allow access to the management vlan from the production vlan. So far, it is a no go. The default gateway to the outside is a firewall and not the switches. my workstation points to the firewall as the default route which tells me the switches are not even going to process the packets.

coulbournc Wed, 05/21/2008 - 14:33

I'm going to try and clarify exactly what I'm trying to accomplish.

I have three Cisco 65xx Catalyst switches which are all native. All reside in one building and are interconnected via port channel and fully meshed.

My goal is to create a management vlan that allows limited access from specific workstations in the production vlan so we can manage network devices in the management vlan.

I'm not sure private vlans are the answer however. Please note none of the switches act as the default gateway. All of them point to a firewall to obtain outbound access. Can I configure intervlan routing and use Vacl's to control access? I've been trying and have failed. I created a vlan on all three switches and assigned them ip addresses. I cannot ping the switches from each other. I did add a host to one switch which I can ping only from that switch.

Jon Marshall Thu, 05/22/2008 - 00:21


If you create a management vlan for the 6500 switches you will need a default-gateway for that vlan. So it will either be on 2 of the 6500 switches or on your firewall. I don't know your security requirements so it may be that you cannot route vlans off the 6500 switches and that all routing must be done on the firewall.

If you can route off the 6500 then create a L3 SVI for your new vlan on a pair of the 6500 and run HSRP or just one if resilience is not a major issue.

Then because the default-gateway of your production machines is the firewall you will need to tell the firewalll about the new management vlan so a client on the production network can route to the new vlan. You will also need to tell the 6500's about the production vlan ie.


ip route <6500 mgt vlan SVI>


ip route

Note that the firewall syntax may not be correct depending in your firewall.

There is one possible problem with this and that is that some firewalls will not route traffic back out an interface the traffic has come in on.

Your other option which will be more secure is to make the connection between the 6500 and the firewall an 802.1q trunk link and create a subinterface for your new mgt vlan. Then your firewall will be responsible for routing between the 2 vlans and you can use the full capabilities of you firewall to grant/restrict access.

I would recommend the second option if possible but your firewall may not support 802.1q.


coulbournc Thu, 05/22/2008 - 16:00


Thanks for the advice. I was able to obtain the desired results. I have a Symantec 5420 firewall appliance. I took an unused interface on it and created an ip address of I created a management vlan, assigned a GigabitEthernet interface to the vlan, and attached the firewall to the Gigabit Interface. I assigned the other devices to the vlan and that was it. I set the devices default gateway to the firewall interface assigned to the vlan and that was it. I did not assign any SVI addresses to the vlan interfaces on the switches. the trunks are using isl and not 802.1q. I created rules on the firewall to allow access from management workstations and tested it out. Once I'm comfortable, I'll turn of ICMP pings so the network appears to be invisible to the end users.


This Discussion