Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VACL on 3750

VLAN on 3750 has 5 ports/hosts assigned to 10.10.10.x/24 network.

What would a simple VACL configuration be like where only ssh among the five ports/hosts is allowed.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: VACL on 3750

try the following:

(config)#ip access-list extended test

(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 22

then

(config)#vlan access-map tt 1

(config-access-map)# match ip address test

(config-access-map)# action forward

(config-access-map)# exit

(config)# vlan filter tt vlan-list 10.

i suppose your vlan has number 10.

Note: if you have a l3 interface for this vlan in your switch (interface vlan 10; ip address 10.10.10.1 255.255.255.0), the configuration will be more easy.

5 REPLIES
Silver

Re: VACL on 3750

try the following:

(config)#ip access-list extended test

(config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 22

then

(config)#vlan access-map tt 1

(config-access-map)# match ip address test

(config-access-map)# action forward

(config-access-map)# exit

(config)# vlan filter tt vlan-list 10.

i suppose your vlan has number 10.

Note: if you have a l3 interface for this vlan in your switch (interface vlan 10; ip address 10.10.10.1 255.255.255.0), the configuration will be more easy.

New Member

Re: VACL on 3750

I read thru some materials which say that VACL/VLAN access-map is applicable only to packets coming into or going outside the VLAN.

Is it correct, that VACL also applies to traffic within the VLAN also i.e. restrict/allow access to host on port 1 to another host on port 2 (in the same vlan).

Please confirm.

Thanks.

Bronze

Re: VACL on 3750

The VACL will apply to traffic within the VLAN also. Check

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

"VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN"

New Member

Re: VACL on 3750

When I include the following acl with action as forward, the access from 20.x to 20.x is blocked

Extended IP access list MYACL

10 permit tcp any 20.20.20.0 0.0.0.255 eq 1500

1500 is a tcp service which is running on 20.x network hosts. However, when I replace the acl with permit ip any any it goes through.

Do the ACL work differently with vlan filters. Why are all 20.x hosts blocked from 1500 with the above ACL.

New Member

Re: VACL on 3750

Ok. It has to be applied both ways.

638
Views
5
Helpful
5
Replies
CreatePlease to create content