Solved: VLAN Access-map in cisco 3550

csawest.dc · ‎01-28-2010

Dear Experts & Ganesh.

Pl hlp me ragarding vlan access map , i have some confussion about that.

I have cisco 3550 , all the port are access in same vlan (vlan 2) ok

Int vlan 2 IP 10.10.10.100 255.255.255.0

int port 1 & 2 both are connected with billing autthentic server as a uplink and other
int port from 3 to 48 connected with DSLAM. more than 50 users conneted each port.

i need all the customers which is conneted port from 3 to 48 permitt ip 172.16.0.1 (server 1 connected with port 1)
and also 172.16.0.2 (server 2 connectd port 2) only and other ip's needs to deny.

but i have some confussion abt that , can i need to permit ip of vlan 2 interface (10.10.10.100) ??

Pl see my bellow config templates of port 3 & 4 customers or suggest me can i need permit ip
of vlan interface (10.10.10.100) on each extended access-list or not.

VLAN Access MAP for cisco 3550 switch.

For Sanchar DSLAM on port 3

ip access-list extended Sanchar
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.0.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.45.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
permit ip 172.16.28.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
deny ip any any

config#vlan access-map Permittedips 10
-map#match ip address sanchar
-map#action forward

FOr AD DSLAM on port 4

ip access-list extended AD
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.0.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.47.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
permit ip 172.16.30.0 0.0.0.255 host 10.10.10.100 can i need to add this ?? (vlan 2 ip in 3550)
deny ip any any

config#vlan access-map Permittedips 20
-map#match ip address AD
-map#action forward

Vlan filter Permittedips vlan-list 2

pl hlp me regarding this.

Thanks in ADV,

Vaib...

Ganesh Hariharan · ‎01-28-2010

Dear Ganesh,

Thanks for reply ,

This ip 10.10.10.100 is assigned on vlan intface 2 only , they are not need to access this ip they are access only 172.16.0.1 & 2 ips,

but i am confussion only when configure ip on vlan interface 10.10.10.100 that's why permit in acl this ip ?? or not. in all acl

Thanks in adv,

Vaib...

Vaibhav,

No need it just an ip which needs to be permit for source to access this device so no need if there any specific requirement just apply the vlan access map in vlan in the switch.

so permitted ip's for specific destination will work as per the vacl and rest will be blocked.

Hope to help

Ganesh.H

View solution in original post

Ganesh Hariharan · ‎01-28-2010

Hi Vaibhav,

Above configuration seems ok but you can make a single extended acl for allowing specific ip ehich you done in two acl and apply that on vlan and whay you want to permit switch ip to user access if this was a need then permit in the same acl for source which need otherwise no need for applying switch ip address in acl.

Hope to help

Ganesh.H

csawest.dc · ‎01-28-2010

Dear Ganesh,

Thanks for reply ,

This ip 10.10.10.100 is assigned on vlan intface 2 only , they are not need to access this ip they are access only 172.16.0.1 & 2 ips,

but i am confussion only when configure ip on vlan interface 10.10.10.100 that's why permit in acl this ip ?? or not. in all acl

Thanks in adv,

Vaib...

Ganesh Hariharan · ‎01-28-2010

Dear Ganesh,

Thanks for reply ,

This ip 10.10.10.100 is assigned on vlan intface 2 only , they are not need to access this ip they are access only 172.16.0.1 & 2 ips,

but i am confussion only when configure ip on vlan interface 10.10.10.100 that's why permit in acl this ip ?? or not. in all acl

Thanks in adv,

Vaib...

Vaibhav,

No need it just an ip which needs to be permit for source to access this device so no need if there any specific requirement just apply the vlan access map in vlan in the switch.

so permitted ip's for specific destination will work as per the vacl and rest will be blocked.

Hope to help

Ganesh.H

csawest.dc · ‎01-28-2010

Dear Ganesh,

Thanks a lot,

so we dont configure in acl to permit this vlan 2 int (10.10.10.100) ip address in all acl ok.

Thanks once again!!!

Vaib...