VACL, access map

Unanswered Question
Jul 6th, 2009


I need some help creating an access list for some VLANs.

It`s Cisco 3550s and 3560s

I use to do this the following way:

I create a extended ACL

access-list 101 permit icmp any any ttl-exceeded

I create a access map

vlan access-map ACL101

action drop

match ip address 101

vlan access-map ACL101

action forward

And apply it to a VLAN

vlan filter ACL101 vlan-list 100

This works great for this purpose.

But now I have a more complex scenario.

I have some IP addresses in a VLAN that should be filtered. And only port 20-23, 25, 37, 53, 80, 110 and 443 should be open for these.

For all other IPs all ports open, except the ones in the other map.

How would I set this up?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 07/07/2009 - 05:24

Hello Per,

you can use a positive logic using the implicit deny of both ACL and VACL.

ports means TCP ports and you need to understand on which side are the well-known ports 20-23, 25 and so on.

Let's suppose the selected hosts are servers and have to be accessed only on these services

access-list 121 permit tcp host host1 eq 23 any

this is for permitting telnet to server with ip address host1

similar lines are needed for each host port combination unless the ip addresses are contigous

then you apply

vlan access-map SelectedAccess

action forward

match ip addr 121

no additional blocks are needed


if the hosts are clients of the TCP applications the ports have to be specified at the end of the line

Hope to help



This Discussion