Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VACL-3750

Hello Everybody

I´m facing to one issue with VACL

i have a network lan with 10.40.X.X/16

in this network i have a Production vlan 10 with 10.40.10.X/24

and i have created one vlan103 for Guest´ user as 10.40.103.X/24

My goals is to restric the vlan 103 to reach or access the vlan 10, better to restric Guest user access to the production vlan

So i  try to put this script with VACL method, but doesn´t work

Extended IP access list Restriction-Guest

    10 permit ip 10.40.103.0 0.0.0.255 any

vlan access-map Guest 10

action drop

match ip address Restriction-Guest

vlan filter Guest vlan-list 10

After that i still able to ping or access to the vlan 10 form vlan 103

Ps: I have a CORESW 3750 S

Thank you in advance

4 REPLIES

VACL-3750

Hi Junior,

Instead of you denied the Production network access from Guest network you have permitted.
Do like below to achieve your goal...

ip access-list ext Restrict_Guest.
deny ip any 10.40.10.0 0.0.0.255

permit ip any any

int vlan 103
ip access-group Restrict_Guest


Hope the above clear and understand you.
Please rate all the helpfull posts.
Regards,
Naidu.

New Member

VACL-3750

Hello Naidu

and thank you for you response,

i have finish to test this script with this correction but it does´nt work.

i still able to connect to the vlan production(10) from vlan guest(103)

VACL-3750

Hi Junior,

It is strange.
Can you provide your 3750 switch config.


Hope the above clear and understand you.
Please rate all the helpfull posts.
Regards,
Naidu.

New Member

VACL-3750

COBswCR#sh version

Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Thu 19-Jul-07 19:15 by nachen

Image text-base: 0x00003000, data-base: 0x01080000

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEC, RELEASE SOFTWARE (fc4)

COBswCR uptime is 17 minutes

System returned to ROM by power-on

System restarted at 12:58:33 UTC Wed Feb 8 2012

System image file is "flash:c3750-ipbase-mz.122-35.SE5/c3750-ipbase-mz.122-35.SE5.bin"

cisco WS-C3750-24P (PowerPC405) processor (revision T0) with 118784K/12280K bytes of memory.

Processor board ID FDO1428X3SY

Last reset from power-on

9 Virtual Ethernet interfaces

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address       : DC:7B:94:CD:B3:00

Motherboard assembly number     : 73-9672-15

Power supply part number        : 341-0029-05

Motherboard serial number       : FDO14290D7M

Power supply serial number      : LIT14200UMD

Model revision number           : T0

Motherboard revision number     : A0

Model number                    : WS-C3750-24PS-S

System serial number            : FDO1428X3SY

Top Assembly Part Number        : 800-25860-09

Top Assembly Revision Number    : A0

Version ID                      : V10

CLEI Code Number                : COMAJ10BRA

Hardware Board Revision Number  : 0x01

Switch   Ports  Model              SW Version              SW Image           

------   -----  -----              ----------              ----------         

*    1   26     WS-C3750-24P       12.2(35)SE5             C3750-IPBASE-M     

Configuration register is 0xF

COBswCR#sh run

COBswCR#sh running-config

Building configuration...

Current configuration : 3805 bytes

!

! Last configuration change at 13:03:44 UTC Wed Feb 8 2012

! NVRAM config last updated at 13:03:46 UTC Wed Feb 8 2012

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname COBswCR

!

!

username admin privilege 15 password 7 046B5A0A5F3545565B495446

no aaa new-model

switch 1 provision ws-c3750-24p

system mtu routing 1500

ip subnet-zero

ip routing

no ip domain-lookup

ip domain-name cobeje.co.ao

!        

!

!

!

no file verify auto

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree portfast bpdufilter default

spanning-tree extend system-id

spanning-tree uplinkfast

spanning-tree backbonefast

!

vlan internal allocation policy ascending

!

interface FastEthernet1/0/1

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/2

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/3

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/4

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/5

description PORT_RESERVED_Vmware-SRVPROD

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!

interface FastEthernet1/0/6

!

interface FastEthernet1/0/7

!

interface FastEthernet1/0/8

!

interface FastEthernet1/0/9

!

interface FastEthernet1/0/10

!

interface FastEthernet1/0/11

!

interface FastEthernet1/0/12

!

interface FastEthernet1/0/13

!

interface FastEthernet1/0/14

!

interface FastEthernet1/0/15

!

interface FastEthernet1/0/16

!

interface FastEthernet1/0/17

!        

interface FastEthernet1/0/18

!

interface FastEthernet1/0/19

!

interface FastEthernet1/0/20

switchport access vlan 31

switchport mode access

!

interface FastEthernet1/0/21

description LINK of TEST

switchport access vlan 10

switchport mode access

spanning-tree portfast

!

interface FastEthernet1/0/22

!

interface FastEthernet1/0/23

description LINK-TO-Router(SPOKE)

switchport access vlan 32

switchport mode access

spanning-tree portfast

!

interface FastEthernet1/0/24

description LINK_TO_ASAFW

switchport access vlan 31

switchport mode access

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

description Servers Production

ip address 10.40.10.254 255.255.255.0

!

interface Vlan12

description vlan Reserved for DOMAIN CONTROLLER

ip address 10.40.12.254 255.255.255.0

!

interface Vlan14

description (FFTMG,MACAFEE,WSUS,..)

ip address 10.40.14.6 255.255.255.248

!

interface Vlan31

description LINK-to-ASA (Layer1)

no ip address

shutdown

!

interface Vlan32

description LINK-TO-RT(spoke)

ip address 172.40.32.1 255.255.255.252

!

interface Vlan98

description Management dos Servidores da Rede

ip address 10.40.98.254 255.255.255.0

!

interface Vlan99

description ONLY FOR DEVICE MANAGEMENT

ip address 10.40.99.254 255.255.255.0

!

interface Vlan103

ip address 10.40.103.14 255.255.255.240

!

router eigrp 40

variance 2

redistribute connected

passive-interface default

no passive-interface Vlan31

no passive-interface Vlan32

network 172.40.32.1 0.0.0.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.40.14.1

ip http server

!

!

control-plane

!

!

line con 0

privilege level 15

login local

line vty 0 4

privilege level 15

login local

line vty 5 15

login   

!

ntp clock-period 36028756

ntp server 192.168.10.9

end

476
Views
0
Helpful
4
Replies