Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

vlan access-list

I Have this Requirments:

deny web traffic from 192.168.10.0/24 to subnet 10.10.100.0

permit web traffic from 192.168.0.0/8 to subnet 10.10.100.0

permit any other ip traffic from my pod to 10.10.100.0

dont use deny use just PERMIT

PLZ ADJUST THIS ENTRY IF I DID MISTAKE

ip access-list extended ACL-ACL

permit tcp 192.168.128.0 0.0.127.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.64.0 0.0.63.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.32.0 0.0.31.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.16.0 0.0.15.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.12.0 0.0.3.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.11.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.8.0 0.0.1.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.0.0 0.0.7.255 10.10.100.0 0.0.0.255 eq 80

permit ip 192.168.0.0 0.0.255.255 10.10.100.0 0.0.0.255

int vlan 100

ip access-group ACL-ACL in

5 REPLIES
Hall of Fame Super Bronze

Re: vlan access-list

The last entry on the ACL

permit ip 192.168.0.0 0.0.255.255 10.10.100.0 0.0.0.255

will break this requirement:

deny web traffic from 192.168.10.0/24 to subnet 10.10.100.0

I believe the task is steering you to implement Vlan ACLs instead of IPv4 ACLs.

With Vlan ACLs, you can configure ACL entries with permit but with a drop action under the Vlan Map.

For more information, please see:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12240se/scg/swacl.htm#wp1600210

Community Member

Re: vlan access-list

10xs EdisonOrtiz !

so where the mistake here?could you plz define?

10xs

Hall of Fame Super Bronze

Re: vlan access-list

As I stated, the last entry will break the requirement.

permit ip will allow web traffic and any other type of ip traffic. The requirements say to deny it.

Community Member

Re: vlan access-list

hello EdisonOrtiz

it solved by

permit ip 10.10.0.0 0.0.255.255 10.10.100.0 0.0.0.255

10xs

Community Member

Re: vlan access-list

hello

I Have some doubt about these statments:

permit tcp 192.168.12.0 0.0.3.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.11.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.8.0 0.0.1.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.0.0 0.0.7.255 10.10.100.0 0.0.0.255 eq 80

any clarification?

10xs

153
Views
5
Helpful
5
Replies
CreatePlease to create content