VACL help

burkmajo10 · ‎10-01-2008

Hi,

I have Cisco 6500 SUP720 IOS 12.2(17d) with multiple vlans 5, 6, 7, 33 and 90.

Vlan 90 = 10.90.1.X network equipment

Vlan 33 = 10.200.1.6 my PC

Vlan 5, 6 and 7 = 10.5.1.X, 10.6.1.X and 10.7.1.X staff PCs

I want to be able to control access to vlan 90 so that only vlan 33 has access.

So I setup a ACL VACL and vlan access-map- like this:

ip access-list standard in-switches

permit 10.200.1.0 0.0.0.255

ip access-list standard allow-any

permit any

vlan access-map map90 10

match ip address in-switches

action forward

vlan access-map map90 20

match ip address allow-any

action drop

vlan filter map90 vlan-list 90

As soon as I apply the last command I lose connection to vlan 90 (can't ping it). What am I doing wrong?

Thanks in Advance:)

Giuseppe Larosa · ‎10-01-2008

Hello Joel,

I would try to use only the first block of the vacl

try the following

no vlan access-map map90 20

then apply again the vacl and tells if you see any difference

VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.

the second aspect is that a standard ACL is used to match the source IP address only

I would use an extended ACL permitting traffic between the two subnets

no ip access-list standard allow-any

ip access-list extended in-switches

permit ip 10.200.1.0 0.0.0.255 10.90.1.0 0.0.0.255

permit ip 10.90.1.0 0.0.0.255 10.200.1.0 0.0.0.255

Hope to help

Giuseppe

burkmajo10 · ‎10-02-2008

Giuseppe,

Thanks for the speedy response and your suggestion worked great.

Thanks again:)