Access list in switch

Unanswered Question
Dec 23rd, 2009
User Badges:

I have two Vlans configured in our 4507 switch (IOS). Vlan 1 as company vlan and Vlan 2 as vendor vlan. I would like to configure access list(s) to accompolish the following rules:

Vlan 1 have full access to Vlan 2 (to the whole subnet or only few IP addresses).

Vlan 2 have no access to Vlan 1 at all.

What are the best way to have this done? Any suggestion will be appreciated.

Happy Holiday!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Mon, 12/28/2009 - 16:00
User Badges:
  • Cisco Employee,

Applying an ACL on a vlan interface will only have the ACL kick in if packets are L3 routed on the switch (hit the vlan SVI).

What you want is a Vlan ACL (VACL) explained here

Here is an example:

Router# show ip access-lists net_10
Extended IP access list net_10
    permit ip any

Router# show ip access-lists any_host
Standard IP access list any_host
    permit any

This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward 
Router(config-access-map)# exit 
Router(config)# vlan filter thor vlan-list 12-16 

I hope it helps.



This Discussion