07-13-2013 05:08 PM - edited 03-07-2019 02:23 PM
Scenario is :
vlan 210 must not access vlan 250
vlan 210 can access other vlans - 200, 914 and vlan 68
i tried to permit the addresses of the 3 vlan - 200,914 and 68 on vlan 210 filter, but what happened is it cant also access the 3 other vlan eventhough it is permitted
vlan 200 - 192.168.200.0
vlan 91 - 192.168.91.0
vlan 68 - 192.168.68.252
ip access-list extended VLAN-FILTER210
permit ip 192.168.210.0 0.0.0.255 192.168.250.0 0.0.0.255
ip access-list extended TRAFFIC-200-914-68
permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255 <------- Network Address of VLAN 200
permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255 <------- Network Address of VLAN 91
permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3 <------- Network Address of VLAN 68
vlan access-map VLAN-FILTER-210 20
match ip address VLAN-FILTER210
action drop
vlan access-map VLAN-FILTER-210 10
match ip address TRAFFIC-200-914-68
action forward
vlan filter VLAN-FILTER-210 vlan-list 210
what did I do wrong?
Solved! Go to Solution.
07-15-2013 02:31 PM
Hi,
Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.
Regards
Alain
Don't forget to rate helpful posts.
07-14-2013 12:26 AM
It seems your config is OK. Could you please post the result of "show vlan filter" "show vlan access-map" "show vlan access-list" ?
07-14-2013 12:32 AM
CORE_SWC#sho vlan access-map
Vlan access-map "VLAN-FILTER-210" 10
Match clauses:
ip address: TRAFFIC-200-914-68
Action:
forward
Vlan access-map "VLAN-FILTER-210" 20
Match clauses:
ip address: VLAN-FILTER210
Action:
drop
VLAN Map VLAN-FILTER-210 is filtering VLANs:
210
07-15-2013 02:24 PM
and 1 more thing guys
I replace the network addresses with
ip access-list extended TRAFFIC-200-914-68
permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255 <------- Network Address of VLAN 200
permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255 <------- Network Address of VLAN 91
permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3 <------- Network Address of VLAN 68
permit ip any any
and now it can ping other network addresses, how do i allow network addresses specifically? i tried to specifically add the said network addresses but it wont do, i dont know what did i do wrong
07-15-2013 02:31 PM
Hi,
Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.
Regards
Alain
Don't forget to rate helpful posts.
07-15-2013 02:37 PM
hi cadet, thanks for the enlightenment, for clarification, i can use VACL if i want to block the telnet/rdp on the whole vlan 200 network right?
07-15-2013 02:41 PM
Hi,
Yes you can use a VACL to filter traffic between hosts in the same VLAN.
Regards
Alain
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: