01-28-2010 08:26 PM - edited 03-06-2019 09:30 AM
Dear Experts & Ganesh.
Pl hlp me ragarding vlan access map , i have some confussion about that.
I have cisco 3550 , all the port are access in same vlan (vlan 2) ok
Int vlan 2 IP 10.10.10.100 255.255.255.0
int port 1 & 2 both are connected with billing autthentic server as a uplink and other
int port from 3 to 48 connected with DSLAM. more than 50 users conneted each port.
i need all the customers which is conneted port from 3 to 48 permitt ip 172.16.0.1 (server 1 connected with port 1)
and also 172.16.0.2 (server 2 connectd port 2) only and other ip's needs to deny.
but i have some confussion abt that , can i need to permit ip of vlan 2 interface (10.10.10.100) ??
Pl see my bellow config templates of port 3 & 4 customers or suggest me can i need permit ip
of vlan interface (10.10.10.100) on each extended access-list or not.
VLAN Access MAP for cisco 3550 switch.
For Sanchar DSLAM on port 3
ip access-list extended Sanchar
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.0.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.45.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
permit ip 172.16.28.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
deny ip any any
config#vlan access-map Permittedips 10
-map#match ip address sanchar
-map#action forward
FOr AD DSLAM on port 4
ip access-list extended AD
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.0.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.47.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
permit ip 172.16.30.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
deny ip any any
config#vlan access-map Permittedips 20
-map#match ip address AD
-map#action forward
Vlan filter Permittedips vlan-list 2
pl hlp me regarding this.
Thanks in ADV,
Vaib...
Solved! Go to Solution.
01-28-2010 11:19 PM
Dear Ganesh,
Thanks for reply ,
This ip 10.10.10.100 is assigned on vlan intface 2 only , they are not need to access this ip they are access only 172.16.0.1 & 2 ips,
but i am confussion only when configure ip on vlan interface 10.10.10.100 that's why permit in acl this ip ?? or not. in all acl
Thanks in adv,
Vaib...
Vaibhav,
No need it just an ip which needs to be permit for source to access this device so no need if there any specific requirement just apply the vlan access map in vlan in the switch.
so permitted ip's for specific destination will work as per the vacl and rest will be blocked.
Hope to help
Ganesh.H
01-28-2010 10:39 PM
Hi Vaibhav,
Above configuration seems ok but you can make a single extended acl for allowing specific ip ehich you done in two acl and apply that on vlan and whay you want to permit switch ip to user access if this was a need then permit in the same acl for source which need otherwise no need for applying switch ip address in acl.
Hope to help
Ganesh.H
01-28-2010 11:08 PM
Dear Ganesh,
Thanks for reply ,
This ip 10.10.10.100 is assigned on vlan intface 2 only , they are not need to access this ip they are access only 172.16.0.1 & 2 ips,
but i am confussion only when configure ip on vlan interface 10.10.10.100 that's why permit in acl this ip ?? or not. in all acl
Thanks in adv,
Vaib...
01-28-2010 11:19 PM
Dear Ganesh,
Thanks for reply ,
This ip 10.10.10.100 is assigned on vlan intface 2 only , they are not need to access this ip they are access only 172.16.0.1 & 2 ips,
but i am confussion only when configure ip on vlan interface 10.10.10.100 that's why permit in acl this ip ?? or not. in all acl
Thanks in adv,
Vaib...
Vaibhav,
No need it just an ip which needs to be permit for source to access this device so no need if there any specific requirement just apply the vlan access map in vlan in the switch.
so permitted ip's for specific destination will work as per the vacl and rest will be blocked.
Hope to help
Ganesh.H
01-28-2010 11:28 PM
Dear Ganesh,
Thanks a lot,
so we dont configure in acl to permit this vlan 2 int (10.10.10.100) ip address in all acl ok.
Thanks once again!!!
Vaib...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide