Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vlan access-List(?)

Hello Experts!

how to configure this Requirments:

VLAN Access Control

Configure an ACL with name “ACL-V” to obtain the following requirements:-

- Deny Web Traffic from 172.16.10.0/24 to Subnet 192.168.106.0

- Permit Web Traffic from 172.16.0.0/8 to Subnet 192.168.106.0

- Permit Any Other ip traffic from your POD to Subnet 192.168.106.0

Do not Use deny Statements, use only PERMIT statements.

(192.168.106.0 is VLAN_200)

many 10xs

9 REPLIES

Re: Vlan access-List(?)

What part are you having trouble with?

Re: Vlan access-List(?)

You need to configure VLAN access-map to meet the mentioned requirements.

access-list 101 permit tcp 172.16.10.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 80

access-list 102 permit tcp 172.16.0.0 0.0.255.255 192.168.106.0 0.0.0.255 eq 80

vlan access-map webtraffic seq 10

match ip address 101

action drop

vlan access-map webtraffic seq 20

match ip address 102

action forward

vlan filter webtraffic vlan-list 200

Please note I didnt create an acl for your 3rd statement bcoz I couldnt understand.

This should suffice your requirement of creating an acl with all permits statements & still denying traffic.

hope that clarifies.

pls rate all helpful posts.

New Member

Re: Vlan access-List(?)

hi

you need to permit Ip Traffic to 192.168.106.0 Also

any Help

Cisco Employee

Re: Vlan access-List(?)

Hi Ali,

I will recommend you to have a look at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1600210

If after going through this you are not able to configure the ACL as per your reuiqrement me or someone on this forum will answer your last part.

HTH

Ankur

New Member

Re: Vlan access-List(?)

Hi Ankur

10xs a lot

New Member

Re: Vlan access-List(?)

Ankur does the Config provided by bvsnarayana03 Wrong?

New Member

Re: Vlan access-List(?)

HI

Permit Any Other ip traffic from your Rack to Subnet 192.168.106.0

any other Traffic to any where rather then the port 80

does this entry work:

ip access-list standard ALI

PERMit 172.16.0.0 0.0.255.255

vlan access-map filter 10

match ip address ALI

action drop

vlan access-map filter 20

match ip address ALI

action FW

vlan filter Filter vlan-list 199

Does it work?

10xs

Cisco Employee

Re: Vlan access-List(?)

Hi Ali,

I was bit confused with your ACL. You have matched same ACL in filter 10 and 20 and in filter 10 the action is DROP and in filter 20 the action is FWD for same ACL only. The check will work on first ACL and it will not come to second filter so the result will always be drop if source is 172.16.0.0/16

Can you please confirm once again what rules you are looking for?

Regards,

Ankur

Silver

Re: Vlan access-List(?)

This wouldn't accomplish what you need, since this map drops (denies) the traffic that you should allow through.

You need to drop only the /24 subnet, not the /16 one.

147
Views
15
Helpful
9
Replies