I have it as

vlan access-map Phillips-ACCESS-ACL 10

action forward

match ip address Phillips-ACCESS-ACL

vlan filter Phillips-ACCESS-ACL vlan-list 80

Hi,

I think that using VLAN ACLs is the problem here. If you use the "vlan filter" as you have indicated, all the traffic that either enters or leaves the VLAN 80 is subject to filtering through your ACL - both inbound and outbound traffic. Clearly, your ACL is made so that the clients in your network can access HTTP servers in other networks but the ACL does not accept HTTP replies when they get back to the VLAN80.

Do you have any special need to use the ACL in this way? Wouldn't it be sufficient for you to place it on your interface VLAN80? If you want to leave it this way, you will need to extend your ACL with additional lines allowing bidirectional communication for your services.

Best regards,

Peter

It was put in a long time ago by people who are now long gone. I don't know the reason they did it that way initially. However my core routers are too unstable for me to make any changes, currently. Yes plans are in the works to swap them out but this is how it's got to be until then.

Hi,

While I believe that removing that VACL and converting it instead to a classical ACL applied on a VLAN interface should be relatively harmless, you certainly know your network better so the decision is upon you. I still think that there is no need to apply this ACL as a VACL ("vlan filter") but I don't want to push you into a particular solution.

If you decide just to tweak your access list, you have to correct a mistake in it: the two lines regarding the HTTP should correctly read as:

permit tcp 10.90.80.0 0.0.0.255 10.90.0.0 0.0.255.255 eq 80

permit tcp 10.90.0.0 0.0.255.255 eq 80 10.90.80.0 0.0.0.255

Note that the second line has the "eq 80" moved into the source specification part, as it references the HTTP replies that are indeed sent from the port 80.

Best regards,

Peter