vlan access list....i am having problem!! help!

Answered Question
Nov 22nd, 2009

Ok here is my problem....

I have a VLAN (22)  which is my security vlan.

I have VLAN (16) which is our workstation vlans.

Ofcourse, i dont want all traffic from 16 going to 22. I ONLY want TWO hosts from my vlan going to vlan 22.

I know all about access lists, but every access list i try going into the security vlan or coming out doesnt work.

my hosts (vlan 16) are 172.16.100.103, and 172.16.100.100 both are 255.255.0.0

Security vlan is 22 and the host is 172.22.1.2 and the subnet is 255.255.0.0

What am i doing wrong? HELP!

this is my access list that i have created.....

access-list 101 permit tcp 172.16.100.103 255.255.255.255 172.22.1.2 255.255.255.255

access-list 101 permit tcp 172.16.100.100 255.255.255.255 172.22.1.2 255.255.255.255

vlan 22

access-group 101 in

I have this problem too.
0 votes
Correct Answer by Nagendra Kumar ... about 7 years 2 weeks ago

Hi,

In first look, your ACL seems to be wrong. ACL uses wild card mask and so you need 0.0.0.0 to match a specific host.

Your ACL should be as below,

access-list 101 permit tcp 0.0.0.0 0.0.0.0

Also the direction of applying the ACL seems to be wrong.

access-list 101 permit tcp 172.16.100.103 255.255.255.255 172.22.1.2 255.255.255.255

access-list 101 permit tcp 172.16.100.100 255.255.255.255 172.22.1.2 255.255.255.255

vlan 22

access-group 101 in

The above config will check for packet coming into Vlan 22 with source as 172.16.100.x and destination as 172.22.1.2 (assuming you have changed the mask to 0.0.0.0). But traffic originating from vlan 22 will have 172.22.1.2 as source and 172.16.100.x as destination.

So you need to modify the ACL as,

access-list 101 permit tcp 172.22.1.2 0.0.0.0 172.16.100.103 0.0.0.0

and apply the same as below,

int vlan 22

access-group 101 in

or if you want to restrict the traffic @ originating side itself (recommended), you need the floowing,

access-list 101 permit tcp 172.16.100.103 0.0.0.0 172.22.1.2 0.0.0.0

int vlan 16

access-group 101 in

HTH,

Nagendra

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Nagendra Kumar ... Sun, 11/22/2009 - 21:22

Hi,

In first look, your ACL seems to be wrong. ACL uses wild card mask and so you need 0.0.0.0 to match a specific host.

Your ACL should be as below,

access-list 101 permit tcp 0.0.0.0 0.0.0.0

Also the direction of applying the ACL seems to be wrong.

access-list 101 permit tcp 172.16.100.103 255.255.255.255 172.22.1.2 255.255.255.255

access-list 101 permit tcp 172.16.100.100 255.255.255.255 172.22.1.2 255.255.255.255

vlan 22

access-group 101 in

The above config will check for packet coming into Vlan 22 with source as 172.16.100.x and destination as 172.22.1.2 (assuming you have changed the mask to 0.0.0.0). But traffic originating from vlan 22 will have 172.22.1.2 as source and 172.16.100.x as destination.

So you need to modify the ACL as,

access-list 101 permit tcp 172.22.1.2 0.0.0.0 172.16.100.103 0.0.0.0

and apply the same as below,

int vlan 22

access-group 101 in

or if you want to restrict the traffic @ originating side itself (recommended), you need the floowing,

access-list 101 permit tcp 172.16.100.103 0.0.0.0 172.22.1.2 0.0.0.0

int vlan 16

access-group 101 in

HTH,

Nagendra

cisco_himg Mon, 11/23/2009 - 06:01

Hey there,

Thanks for your reply but that still didnt work. I complete the vlan 22 access group in just like you told me but i still cant get traffic. Here is a copy of my config. If i take the gateway off VLAN 22, then no one can get to it, but if i leave the 172.22.0.1 on the vlan as the gateway, then everyone can get to it. Thats what i dont want. Thats our security VLAN. I only want TWO hosts to be able to get to the VLAN 22 host and thats it.

switch 1 provision ws-c3750g-12s

switch 2 provision ws-c3750g-48ts

switch 3 provision ws-c3750g-48ts

ip subnet-zero

ip routing

ip cef load-sharing algorithm universal 89711B15

ip name-server 172.17.2.2

!

cluster enable MDF_Cluster 0

!

mls qos map cos-dscp 0 8 16 26 32 46 48 56

mls qos srr-queue input bandwidth 90 10

mls qos srr-queue input threshold 1 8 16

mls qos srr-queue input threshold 2 34 66

mls qos srr-queue input buffers 67 33

mls qos srr-queue input cos-map queue 1 threshold 2  1

mls qos srr-queue input cos-map queue 1 threshold 3  0

mls qos srr-queue input cos-map queue 2 threshold 1  2

mls qos srr-queue input cos-map queue 2 threshold 2  4 6 7

mls qos srr-queue input cos-map queue 2 threshold 3  3 5

mls qos srr-queue input dscp-map queue 1 threshold 2  9 10 11 12 13 14 15

mls qos srr-queue input dscp-map queue 1 threshold 3  0 1 2 3 4 5 6 7

mls qos srr-queue input dscp-map queue 1 threshold 3  32

mls qos srr-queue input dscp-map queue 2 threshold 1  16 17 18 19 20 21 22 23

mls qos srr-queue input dscp-map queue 2 threshold 2  33 34 35 36 37 38 39 48

mls qos srr-queue input dscp-map queue 2 threshold 2  49 50 51 52 53 54 55 56

mls qos srr-queue input dscp-map queue 2 threshold 2  57 58 59 60 61 62 63

mls qos srr-queue input dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31

mls qos srr-queue input dscp-map queue 2 threshold 3  40 41 42 43 44 45 46 47

mls qos srr-queue output cos-map queue 1 threshold 3  5

mls qos srr-queue output cos-map queue 2 threshold 3  3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3  2 4

mls qos srr-queue output cos-map queue 4 threshold 2  1

mls qos srr-queue output cos-map queue 4 threshold 3  0

mls qos srr-queue output dscp-map queue 1 threshold 3  40 41 42 43 44 45 46 47

mls qos srr-queue output dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31

mls qos srr-queue output dscp-map queue 2 threshold 3  48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3  56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3  16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 3 threshold 3  32 33 34 35 36 37 38 39

mls qos srr-queue output dscp-map queue 4 threshold 1  8

mls qos srr-queue output dscp-map queue 4 threshold 2  9 10 11 12 13 14 15

mls qos srr-queue output dscp-map queue 4 threshold 3  0 1 2 3 4 5 6 7

mls qos queue-set output 1 threshold 1 138 138 92 138

mls qos queue-set output 1 threshold 2 138 138 92 400

mls qos queue-set output 1 threshold 3 36 77 100 318

mls qos queue-set output 1 threshold 4 20 50 67 400

mls qos queue-set output 2 threshold 1 149 149 100 149

mls qos queue-set output 2 threshold 2 118 118 100 235

mls qos queue-set output 2 threshold 3 41 68 100 272

mls qos queue-set output 2 threshold 4 42 72 100 242

mls qos queue-set output 1 buffers 10 10 26 54

mls qos queue-set output 2 buffers 16 6 17 61

mls qos

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

!

vlan access-map VLAN_50_Restrict_Map 10

action drop

match ip address VLAN_17_Restrict_ACL

vlan access-map VLAN_50_Restrict_Map 20

action forward

vlan access-map VLAN_17_Restrict_Map 10

action drop

match ip address VLAN_50_Restrict_ACL

vlan access-map VLAN_17_Restrict_Map 20

action forward

vlan internal allocation policy ascending

!

class-map match-any VoIP

  match ip dscp ef

!

!

policy-map VoIP_Qos

  class VoIP

    trust dscp

!

!

!

interface Port-channel1

description Layer 2 Etherchannel trunk to IDF1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40

switchport mode trunk

!

interface Port-channel2

description Layer 2 Etherchannel trunk to IDF2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40,47

switchport mode trunk

!

interface Port-channel3

description Layer 2 Etherchannel trunk to IDF3

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40

switchport mode trunk

!

interface Port-channel4

description Layer 2 Etherchannel trunk to IDF4

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40,48

switchport mode trunk

!

interface GigabitEthernet1/0/1

description Member Layer 2 Etherchannel - IDF1 Gig1/0/49

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet1/0/2

description Member Layer 2 Etherchannel - IDF1 Gig1/0/50

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet1/0/3

description Member Layer 2 Etherchanell - IDF2 Gig1/0/49

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40,47

switchport mode trunk

channel-group 2 mode active

!

interface GigabitEthernet1/0/4

description Member Layer 2 Etherchanell - IDF2 Gig1/0/50

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40,47

switchport mode trunk

channel-group 2 mode active

!

interface GigabitEthernet1/0/5

description Member Layer 2 Etherchannel - IDF3 - Gig1/0/49

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40

switchport mode trunk

channel-group 3 mode active

!

interface GigabitEthernet1/0/6

description Member Layer 2 Etherchannel - IDF3 - Gig1/0/50

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40

switchport mode trunk

channel-group 3 mode active

!

interface GigabitEthernet1/0/7

description Member Layer 2 Etherchannel - IDF4 Gig1/0/49

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40,48

switchport mode trunk

channel-group 4 mode active

!

interface GigabitEthernet1/0/8

description Member Layer 2 Etherchannel - IDF4 Gig1/0/50

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40,48

switchport mode trunk

channel-group 4 mode active

!

interface GigabitEthernet1/0/9

description Trunk to IDF5 - Gig1/0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,18,20,21,40

switchport mode trunk

!

interface GigabitEthernet1/0/10

description Trunk to IDF6 - Gig1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/11

description Trunk to IDF7 - Gig1/0/49

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,21,50-52,54

switchport mode trunk

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet2/0/1

description Metro to HIMG 20th Street

no switchport

ip address 172.31.0.1 255.255.255.252

service-policy input VoIP_Qos

duplex full

speed 100

!

interface GigabitEthernet2/0/2

no switchport

ip address 172.31.0.18 255.255.255.252

service-policy input VoIP_Qos

duplex full

!

interface GigabitEthernet2/0/3

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/4

description mn-trans-25

switchport access vlan 16

spanning-tree portfast

!

interface GigabitEthernet2/0/5

description Ovation APP NIC 1

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/6

description Ovation APP NIC 2

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/7

description Ovation VQ

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/8

description Ovation DB

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/9

description AIX

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/10

description AIX Imaging

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/11

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/12

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/13

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/14

description Huntingt-CRLl06

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/15

description Intergy Server

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/16

description Intergy Server

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/17

description MN-IS-TS8

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/18

description CQ-Faxserver

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/19

description HIMGNET

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/20

description CQ-MTSERVER

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/21

switchport access vlan 16

spanning-tree portfast

!

interface GigabitEthernet2/0/22

description Fileserver1

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/23

description PAserver

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/24

description Solomonsvr

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/25

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/26

description Solomonsvr2

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/27

description INS_WEB_SERVER

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/28

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/29

description MN-IS-TS2

switchport access vlan 16

spanning-tree portfast

!

interface GigabitEthernet2/0/30

description CQ-Wordserver

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/31

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/32

description MN-IS-TS4

switchport access vlan 16

spanning-tree portfast

interface GigabitEthernet2/0/33

switchport access vlan 23

duplex full

speed 100

spanning-tree portfast

!

interface GigabitEthernet2/0/34

switchport access vlan 23

duplex full

speed 100

spanning-tree portfast

!

interface GigabitEthernet2/0/35

switchport access vlan 23

duplex full

speed 100

spanning-tree portfast

!

interface GigabitEthernet2/0/36

description AVAYA01

switchport access vlan 23

duplex full

speed 100

spanning-tree portfast

!

interface GigabitEthernet2/0/37

switchport access vlan 23

duplex full

speed 100

spanning-tree portfast

!

interface GigabitEthernet2/0/38

switchport access vlan 23

duplex full

speed 100

spanning-tree portfast

!

interface GigabitEthernet2/0/39

switchport access vlan 24

spanning-tree portfast

!

interface GigabitEthernet2/0/40

switchport access vlan 24

spanning-tree portfast

!

interface GigabitEthernet2/0/41

switchport access vlan 24

spanning-tree portfast

!

interface GigabitEthernet2/0/42

description MN-IS-TS3

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/43

description MN-IS-TS1

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/44

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/45

description Nurse Call Application Server

switchport access vlan 18

spanning-tree portfast

!

interface GigabitEthernet2/0/46

description Nurse Call Web Server

switchport access vlan 18

spanning-tree portfast

!

interface GigabitEthernet2/0/47

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet2/0/48

description PACS

switchport trunk encapsulation dot1q

switchport trunk native vlan 21

switchport mode trunk

duplex full

!

interface GigabitEthernet2/0/49

!

interface GigabitEthernet2/0/50

!

interface GigabitEthernet2/0/51

!

interface GigabitEthernet2/0/52

!

interface GigabitEthernet3/0/1

switchport access vlan 22

spanning-tree portfast

!

interface GigabitEthernet3/0/2

switchport access vlan 22

spanning-tree portfast

!

interface GigabitEthernet3/0/3

switchport access vlan 22

spanning-tree portfast

!

interface GigabitEthernet3/0/4

switchport access vlan 22

spanning-tree portfast

!

interface GigabitEthernet3/0/5

description MedPark Security DVR

switchport access vlan 50

spanning-tree portfast

!

interface GigabitEthernet3/0/6

switchport access vlan 22

spanning-tree portfast

!

interface GigabitEthernet3/0/7

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/8

description INT-APP2

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/9

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/10

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/11

description IPSTATION

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/12

description Security System

switchport access vlan 22

spanning-tree portfast

!

interface GigabitEthernet3/0/13

description MDF-WAP1

switchport trunk encapsulation dot1q

switchport trunk native vlan 21

switchport mode trunk

switchport nonegotiate

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape  10  0  0  0

queue-set 2

mls qos trust cos

macro description cisco-wireless

auto qos voip trust

spanning-tree bpduguard enable

!

interface GigabitEthernet3/0/14

!

interface GigabitEthernet3/0/15

description TRAININGSERVER

switchport access vlan 17

!

interface GigabitEthernet3/0/16

description HP-SCAN-13

switchport access vlan 17

!

interface GigabitEthernet3/0/17

switchport access vlan 17

!

interface GigabitEthernet3/0/18

description Trunk Link to ASA switchport 0/1

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast disable

!

interface GigabitEthernet3/0/19

switchport access vlan 50

spanning-tree portfast disable

!

interface GigabitEthernet3/0/20

switchport access vlan 51

spanning-tree portfast disable

!

interface GigabitEthernet3/0/21

switchport access vlan 52

spanning-tree portfast disable

!

interface GigabitEthernet3/0/22

description Link to Inside Interface on Concentrator

switchport access vlan 17

spanning-tree portfast disable

!

interface GigabitEthernet3/0/23

switchport access vlan 51

!

interface GigabitEthernet3/0/24

switchport access vlan 49

!

interface GigabitEthernet3/0/25

switchport access vlan 49

!

interface GigabitEthernet3/0/26

description Cafe Firewall

switchport access vlan 48

!

interface GigabitEthernet3/0/27

description MN-IS-FSDC2

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/28

description MN-IS-NAS

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/29

description MN-IS-DC1

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/30

description MN-IS-TS5

switchport access vlan 16

spanning-tree portfast

!

interface GigabitEthernet3/0/31

switchport access vlan 17

!

interface GigabitEthernet3/0/32

description INT-APP1

switchport access vlan 17

!

interface GigabitEthernet3/0/33

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/34

description MN-IS-TS7

switchport access vlan 16

!

interface GigabitEthernet3/0/35

description CITRIXPROVISION

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/36

!

interface GigabitEthernet3/0/37

switchport access vlan 17

!

interface GigabitEthernet3/0/38

!

interface GigabitEthernet3/0/39

description FAXSERVER

switchport access vlan 17

!

interface GigabitEthernet3/0/40

switchport access vlan 16

!

interface GigabitEthernet3/0/41

!

interface GigabitEthernet3/0/42

!

interface GigabitEthernet3/0/43

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/44

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/45

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/46

description LAN PORT BARRACUDA

switchport access vlan 17

spanning-tree portfast

!

interface GigabitEthernet3/0/47

switchport access vlan 25

spanning-tree portfast

!

interface GigabitEthernet3/0/48

switchport access vlan 16

spanning-tree portfast

!

interface GigabitEthernet3/0/49

!

interface GigabitEthernet3/0/50

!

interface GigabitEthernet3/0/51

!

interface GigabitEthernet3/0/52

!

interface Vlan1

no ip address

shutdown

!

interface Vlan15

no ip address

!

interface Vlan16

description VLAN for Workstations

ip address 172.16.1.140 255.255.0.0 secondary

ip address 172.16.0.1 255.255.0.0

ip helper-address 172.17.2.2

ip helper-address 172.17.2.60

!

interface Vlan17

description Data VLAN

ip address 172.17.0.1 255.255.0.0

ip directed-broadcast

!

interface Vlan18

description Nurse Call VLAN

ip address 172.18.0.1 255.255.0.0

!

interface Vlan20

description Secure Wireless VLAN

ip address 172.20.0.1 255.255.0.0

ip helper-address 172.17.2.2

ip helper-address 172.17.2.60

!

interface Vlan21

description Management VLAN

ip address 172.21.0.1 255.255.255.0

!

interface Vlan22

description Security_System

no ip address

!

interface Vlan23

description Avaya_Data

ip address 172.23.0.1 255.255.0.0

!

interface Vlan24

description Avaya_Voice

ip address 172.24.0.1 255.255.0.0

!

interface Vlan25

no ip address

!

interface Vlan28

no ip address

!

interface Vlan49

no ip address

!

interface Vlan50

description Pharmacy

no ip address

!

interface Vlan51

no ip address

!

ip default-gateway 172.17.0.2

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.0.2

ip route 10.0.2.0 255.255.255.0 172.31.0.2

ip route 10.10.30.16 255.255.255.255 172.17.0.5

ip route 10.10.35.0 255.255.255.0 172.17.0.5

ip route 10.10.40.0 255.255.255.0 172.17.0.5

ip route 63.145.63.64 255.255.255.192 172.17.0.5

ip route 63.147.62.0 255.255.255.128 172.17.0.5

ip route 172.30.0.0 255.255.0.0 172.17.0.5

ip route 172.30.1.128 255.255.255.240 172.17.0.2

ip route 172.40.3.0 255.255.255.224 172.17.0.2

ip route 172.40.3.160 255.255.255.224 172.17.0.2

ip route 192.68.49.0 255.255.255.0 172.17.0.5

ip http server

!

!

ip access-list extended VLAN_17_Restrict_ACL

permit ip 172.17.0.0 0.0.255.255 any

ip access-list extended VLAN_50_Restrict_ACL

permit ip 172.50.0.0 0.0.255.255 any

!

access-list 111 permit ip any any

route-map TEMP_Websense_Test permit 10

match ip address 111

set ip next-hop 172.17.0.8

!

!

control-plane

!

!

!

ntp clock-period 36028763

ntp server 198.82.1.201 prefer

ntp server 198.82.1.203

ntp server 198.82.1.202

!

end

Nagendra Kumar ... Mon, 11/23/2009 - 07:26

Hi,

Can you post the updated config?. I am not seeing any ACL config related to vlan 22 in the posted config.

Regards,

Nagendra

cisco_himg Mon, 11/23/2009 - 08:39

Here ya go.. i appreciate your help.

no aaa new-model

clock timezone est -5

clock summer-time est recurring

switch 1 provision ws-c3750g-12s

switch 2 provision ws-c3750g-48ts

switch 3 provision ws-c3750g-48ts

ip subnet-zero

ip routing

ip cef load-sharing algorithm universal 89711B15

ip host burke 172.16.4.65

ip name-server 172.17.2.2

!

cluster enable MDF_Cluster 0

!

mls qos map cos-dscp 0 8 16 26 32 46 48 56

mls qos srr-queue input bandwidth 90 10

mls qos srr-queue input threshold 1 8 16

mls qos srr-queue input threshold 2 34 66

mls qos srr-queue input buffers 67 33

mls qos srr-queue input cos-map queue 1 threshold 2  1

mls qos srr-queue input cos-map queue 1 threshold 3  0

mls qos srr-queue input cos-map queue 2 threshold 1  2

mls qos srr-queue input cos-map queue 2 threshold 2  4 6 7

mls qos srr-queue input cos-map queue 2 threshold 3  3 5

mls qos srr-queue input dscp-map queue 1 threshold 2  9 10 11 12 13 14 15

mls qos srr-queue input dscp-map queue 1 threshold 3  0 1 2 3 4 5 6 7

mls qos srr-queue input dscp-map queue 1 threshold 3  32

mls qos srr-queue input dscp-map queue 2 threshold 1  16 17 18 19 20 21 22 23

mls qos srr-queue input dscp-map queue 2 threshold 2  33 34 35 36 37 38 39 48

mls qos srr-queue input dscp-map queue 2 threshold 2  49 50 51 52 53 54 55 56

mls qos srr-queue input dscp-map queue 2 threshold 2  57 58 59 60 61 62 63

mls qos srr-queue input dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31

mls qos srr-queue input dscp-map queue 2 threshold 3  40 41 42 43 44 45 46 47

mls qos srr-queue output cos-map queue 1 threshold 3  5

mls qos srr-queue output cos-map queue 2 threshold 3  3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3  2 4

mls qos srr-queue output cos-map queue 4 threshold 2  1

mls qos srr-queue output cos-map queue 4 threshold 3  0

mls qos srr-queue output dscp-map queue 1 threshold 3  40 41 42 43 44 45 46 47

mls qos srr-queue output dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31

mls qos srr-queue output dscp-map queue 2 threshold 3  48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3  56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3  16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 3 threshold 3  32 33 34 35 36 37 38 39

mls qos srr-queue output dscp-map queue 4 threshold 1  8

mls qos srr-queue output dscp-map queue 4 threshold 2  9 10 11 12 13 14 15

mls qos srr-queue output dscp-map queue 4 threshold 3  0 1 2 3 4 5 6 7

mls qos queue-set output 1 threshold 1 138 138 92 138

mls qos queue-set output 1 threshold 2 138 138 92 400

mls qos queue-set output 1 threshold 3 36 77 100 318

mls qos queue-set output 1 threshold 4 20 50 67 400

mls qos queue-set output 2 threshold 1 149 149 100 149

mls qos queue-set output 2 threshold 2 118 118 100 235

mls qos queue-set output 2 threshold 3 41 68 100 272

mls qos queue-set output 2 threshold 4 42 72 100 242

mls qos queue-set output 1 buffers 10 10 26 54

mls qos queue-set output 2 buffers 16 6 17 61

mls qos

!

!

no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan access-map VLAN_50_Restrict_Map 10
action drop
match ip address VLAN_17_Restrict_ACL
vlan access-map VLAN_50_Restrict_Map 20
action forward
vlan access-map VLAN_17_Restrict_Map 10
action drop
match ip address VLAN_50_Restrict_ACL
vlan access-map VLAN_17_Restrict_Map 20
action forward
vlan internal allocation policy ascending
!
class-map match-any VoIP
  match ip dscp ef
!
!
policy-map VoIP_Qos
  class VoIP
    trust dscp
!
!
!
interface Port-channel1
description Layer 2 Etherchannel trunk to IDF1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface Port-channel2
description Layer 2 Etherchannel trunk to IDF2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
!
interface Port-channel3
description Layer 2 Etherchannel trunk to IDF3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface Port-channel4
description Layer 2 Etherchannel trunk to IDF4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
!
interface GigabitEthernet1/0/1
description Member Layer 2 Etherchannel - IDF1 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/2
description Member Layer 2 Etherchannel - IDF1 Gig1/0/50

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/3
description Member Layer 2 Etherchanell - IDF2 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet1/0/4
description Member Layer 2 Etherchanell - IDF2 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,47
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet1/0/5
description Member Layer 2 Etherchannel - IDF3 - Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 3 mode active
!
interface GigabitEthernet1/0/6
description Member Layer 2 Etherchannel - IDF3 - Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
channel-group 3 mode active
!
interface GigabitEthernet1/0/7
description Member Layer 2 Etherchannel - IDF4 Gig1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/8
description Member Layer 2 Etherchannel - IDF4 Gig1/0/50
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40,48
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/9
description Trunk to IDF5 - Gig1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,18,20,21,40
switchport mode trunk
!
interface GigabitEthernet1/0/10
description Trunk to IDF6 - Gig1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/11
description Trunk to IDF7 - Gig1/0/49

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,21,50-52,54
switchport mode trunk
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet2/0/1
description Metro to HIMG 20th Street
no switchport
ip address 172.31.0.1 255.255.255.252
service-policy input VoIP_Qos
duplex full
speed 100
!
interface GigabitEthernet2/0/2
no switchport
ip address 172.31.0.18 255.255.255.252
service-policy input VoIP_Qos
duplex full
!
interface GigabitEthernet2/0/3
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/4
description mn-trans-25
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/5
description Ovation APP NIC 1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/6
description Ovation APP NIC 2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/7
description Ovation VQ
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/8
description Ovation DB
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/9
description AIX
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/10
description AIX Imaging
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/11

switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/12
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/13
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/14
description Huntingt-CRLl06
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/15
description Intergy Server
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/16
description Intergy Server
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/17
description MN-IS-TS8
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/18
description CQ-Faxserver
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/19
description HIMGNET
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/20
description CQ-MTSERVER
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/21
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/22
description Fileserver1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/23
description PAserver
switchport access vlan 17
spanning-tree portfast

interface GigabitEthernet2/0/24
description Solomonsvr
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/25
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/26
description Solomonsvr2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/27
description INS_WEB_SERVER
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/28
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/29
description MN-IS-TS2
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/30
description CQ-Wordserver
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/31
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/32
description MN-IS-TS4
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet2/0/33
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/34
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/35
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast

interface GigabitEthernet2/0/36
description AVAYA01
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/37
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/38
switchport access vlan 23
duplex full
speed 100
spanning-tree portfast
!
interface GigabitEthernet2/0/39
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/40
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/41
switchport access vlan 24
spanning-tree portfast
!
interface GigabitEthernet2/0/42
description MN-IS-TS3
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/43
description MN-IS-TS1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/44
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/45
description Nurse Call Application Server
switchport access vlan 18
spanning-tree portfast
!
interface GigabitEthernet2/0/46
description Nurse Call Web Server
switchport access vlan 18
spanning-tree portfast
!
interface GigabitEthernet2/0/47
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet2/0/48

description PACS
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
duplex full
!
interface GigabitEthernet2/0/49
!
interface GigabitEthernet2/0/50
!
interface GigabitEthernet2/0/51
!
interface GigabitEthernet2/0/52
!
interface GigabitEthernet3/0/1
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/2
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/3
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/4
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/5
description MedPark Security DVR
switchport access vlan 50
spanning-tree portfast
!
interface GigabitEthernet3/0/6
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/7
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/8
description INT-APP2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/9
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/10
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/11
description IPSTATION
switchport access vlan 17
spanning-tree portfast

interface GigabitEthernet3/0/12
description Security System
switchport access vlan 22
spanning-tree portfast
!
interface GigabitEthernet3/0/13
description MDF-WAP1
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
queue-set 2
mls qos trust cos
macro description cisco-wireless
auto qos voip trust
spanning-tree bpduguard enable
!
interface GigabitEthernet3/0/14
!
interface GigabitEthernet3/0/15
description TRAININGSERVER
switchport access vlan 17
!
interface GigabitEthernet3/0/16
description HP-SCAN-13
switchport access vlan 17
!
interface GigabitEthernet3/0/17
switchport access vlan 17
!
interface GigabitEthernet3/0/18
description Trunk Link to ASA switchport 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast disable
!
interface GigabitEthernet3/0/19
switchport access vlan 50
spanning-tree portfast disable
!
interface GigabitEthernet3/0/20
switchport access vlan 51
spanning-tree portfast disable
!
interface GigabitEthernet3/0/21
switchport access vlan 52
spanning-tree portfast disable
!
interface GigabitEthernet3/0/22
description Link to Inside Interface on Concentrator
switchport access vlan 17
spanning-tree portfast disable
!
interface GigabitEthernet3/0/23
switchport access vlan 51
!
interface GigabitEthernet3/0/24
switchport access vlan 49
!
interface GigabitEthernet3/0/25
switchport access vlan 49
!
interface GigabitEthernet3/0/26
description Cafe Firewall
switchport access vlan 48
!
interface GigabitEthernet3/0/27
description MN-IS-FSDC2
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/28
description MN-IS-NAS
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/29
description MN-IS-DC1
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/30
description MN-IS-TS5
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet3/0/31
switchport access vlan 17
!
interface GigabitEthernet3/0/32
description INT-APP1
switchport access vlan 17
!
interface GigabitEthernet3/0/33
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/34
description MN-IS-TS7
switchport access vlan 16
!
interface GigabitEthernet3/0/35
description CITRIXPROVISION
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/36
!
interface GigabitEthernet3/0/37
switchport access vlan 17
!
interface GigabitEthernet3/0/38
!
interface GigabitEthernet3/0/39
description FAXSERVER
switchport access vlan 17
interface GigabitEthernet3/0/40
switchport access vlan 16
!
interface GigabitEthernet3/0/41
!
interface GigabitEthernet3/0/42
!
interface GigabitEthernet3/0/43
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/44
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/45
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/46
description LAN PORT BARRACUDA
switchport access vlan 17
spanning-tree portfast
!
interface GigabitEthernet3/0/47
switchport access vlan 25
spanning-tree portfast
!
interface GigabitEthernet3/0/48
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet3/0/49
!
interface GigabitEthernet3/0/50
!
interface GigabitEthernet3/0/51
!
interface GigabitEthernet3/0/52
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
no ip address
!
interface Vlan16
description VLAN for Workstations
ip address 172.16.1.140 255.255.0.0 secondary
ip address 172.16.0.1 255.255.0.0
ip helper-address 172.17.2.2
ip helper-address 172.17.2.60
!
interface Vlan17
description Data VLAN
ip address 172.17.0.1 255.255.0.0
ip directed-broadcast
!
interface Vlan18
description Nurse Call VLAN
ip address 172.18.0.1 255.255.0.0
!
interface Vlan20
description Secure Wireless VLAN
ip address 172.20.0.1 255.255.0.0
ip helper-address 172.17.2.2
ip helper-address 172.17.2.60
!
interface Vlan21
description Management VLAN
ip address 172.21.0.1 255.255.255.0
!
interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in
!
interface Vlan23
description Avaya_Data
ip address 172.23.0.1 255.255.0.0
!
interface Vlan24
description Avaya_Voice
ip address 172.24.0.1 255.255.0.0
!
interface Vlan25
no ip address
!
interface Vlan28
no ip address
!
interface Vlan49
no ip address
!
interface Vlan50
description Pharmacy
no ip address
!
interface Vlan51
no ip address
!
ip default-gateway 172.17.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.0.2
ip route 10.0.2.0 255.255.255.0 172.31.0.2
ip route 10.10.30.16 255.255.255.255 172.17.0.5
ip route 10.10.35.0 255.255.255.0 172.17.0.5
ip route 10.10.40.0 255.255.255.0 172.17.0.5
ip route 63.145.63.64 255.255.255.192 172.17.0.5
ip route 63.147.62.0 255.255.255.128 172.17.0.5
ip route 172.30.0.0 255.255.0.0 172.17.0.5
ip route 172.30.1.128 255.255.255.240 172.17.0.2
ip route 172.40.3.0 255.255.255.224 172.17.0.2
ip route 172.40.3.160 255.255.255.224 172.17.0.2
ip route 192.68.49.0 255.255.255.0 172.17.0.5
ip http server
!
!
ip access-list extended VLAN_17_Restrict_ACL

description Pharmacy
no ip address
!
interface Vlan51
no ip address
!
ip default-gateway 172.17.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.0.2
ip route 10.0.2.0 255.255.255.0 172.31.0.2
ip route 10.10.30.16 255.255.255.255 172.17.0.5
ip route 10.10.35.0 255.255.255.0 172.17.0.5
ip route 10.10.40.0 255.255.255.0 172.17.0.5
ip route 63.145.63.64 255.255.255.192 172.17.0.5
ip route 63.147.62.0 255.255.255.128 172.17.0.5
ip route 172.30.0.0 255.255.0.0 172.17.0.5
ip route 172.30.1.128 255.255.255.240 172.17.0.2
ip route 172.40.3.0 255.255.255.224 172.17.0.2
ip route 172.40.3.160 255.255.255.224 172.17.0.2
ip route 192.68.49.0 255.255.255.0 172.17.0.5
ip http server
!
!
ip access-list extended VLAN_17_Restrict_ACL
permit ip 172.17.0.0 0.0.255.255 any
ip access-list extended VLAN_50_Restrict_ACL
permit ip 172.50.0.0 0.0.255.255 any
!
access-list 111 permit ip any any
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
route-map TEMP_Websense_Test permit 10
match ip address 111
set ip next-hop 172.17.0.8
!
snmp-server community avaya RO
snmp-server community [email protected] RO
snmp-server community himg-snmp RO
snmp-server community !neTtdw1 RW
snmp-server community [email protected] RW
!
control-plane
!
!
line con 0
line vty 0 4
password 7 134419173F18003D7A
login
length 0
line vty 5 15
password 7 134419173F18003D7A
login

cisco_himg Mon, 11/23/2009 - 08:44

Hey its working now?!

I just tested by ping before and i couldnt get there, but if i remote in there by using dameware, i am able to access. I had a brain freeze. ICMP isnt TCP bound....sorry for that....i am in thanks to your configuration.....thank you!!!!!!

Actions

This Discussion