VACL help

Unanswered Question
Oct 1st, 2008

Hi,


I have Cisco 6500 SUP720 IOS 12.2(17d) with multiple vlans 5, 6, 7, 33 and 90.

Vlan 90 = 10.90.1.X network equipment

Vlan 33 = 10.200.1.6 my PC

Vlan 5, 6 and 7 = 10.5.1.X, 10.6.1.X and 10.7.1.X staff PCs


I want to be able to control access to vlan 90 so that only vlan 33 has access.


So I setup a ACL VACL and vlan access-map- like this:

ip access-list standard in-switches

permit 10.200.1.0 0.0.0.255

ip access-list standard allow-any

permit any

vlan access-map map90 10

match ip address in-switches

action forward

vlan access-map map90 20

match ip address allow-any

action drop

vlan filter map90 vlan-list 90


As soon as I apply the last command I lose connection to vlan 90 (can't ping it). What am I doing wrong?


Thanks in Advance:)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 10/01/2008 - 09:04

Hello Joel,

I would try to use only the first block of the vacl


try the following

no vlan access-map map90 20


then apply again the vacl and tells if you see any difference


VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.


the second aspect is that a standard ACL is used to match the source IP address only


I would use an extended ACL permitting traffic between the two subnets


no ip access-list standard allow-any

ip access-list extended in-switches

permit ip 10.200.1.0 0.0.0.255 10.90.1.0 0.0.0.255

permit ip 10.90.1.0 0.0.0.255 10.200.1.0 0.0.0.255


Hope to help

Giuseppe


burkmajo10 Thu, 10/02/2008 - 06:31

Giuseppe,


Thanks for the speedy response and your suggestion worked great.


Thanks again:)



Actions

This Discussion