how to configure this Requirments:
VLAN Access Control
Configure an ACL with name âACL-Vâ to obtain the following requirements:-
- Deny Web Traffic from 172.16.10.0/24 to Subnet 192.168.106.0
- Permit Web Traffic from 172.16.0.0/8 to Subnet 192.168.106.0
- Permit Any Other ip traffic from your POD to Subnet 192.168.106.0
Do not Use deny Statements, use only PERMIT statements.
(192.168.106.0 is VLAN_200)
You need to configure VLAN access-map to meet the mentioned requirements.
access-list 101 permit tcp 172.16.10.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 80
access-list 102 permit tcp 172.16.0.0 0.0.255.255 192.168.106.0 0.0.0.255 eq 80
vlan access-map webtraffic seq 10
match ip address 101
vlan access-map webtraffic seq 20
match ip address 102
vlan filter webtraffic vlan-list 200
Please note I didnt create an acl for your 3rd statement bcoz I couldnt understand.
This should suffice your requirement of creating an acl with all permits statements & still denying traffic.
hope that clarifies.
pls rate all helpful posts.
I will recommend you to have a look at this link
If after going through this you are not able to configure the ACL as per your reuiqrement me or someone on this forum will answer your last part.
Permit Any Other ip traffic from your Rack to Subnet 192.168.106.0
any other Traffic to any where rather then the port 80
does this entry work:
ip access-list standard ALI
PERMit 172.16.0.0 0.0.255.255
vlan access-map filter 10
match ip address ALI
vlan access-map filter 20
match ip address ALI
vlan filter Filter vlan-list 199
Does it work?
I was bit confused with your ACL. You have matched same ACL in filter 10 and 20 and in filter 10 the action is DROP and in filter 20 the action is FWD for same ACL only. The check will work on first ACL and it will not come to second filter so the result will always be drop if source is 172.16.0.0/16
Can you please confirm once again what rules you are looking for?
This wouldn't accomplish what you need, since this map drops (denies) the traffic that you should allow through.
You need to drop only the /24 subnet, not the /16 one.