Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VLAN Access map problem

Scenario is :

vlan 210 must not access vlan 250

vlan 210 can access other vlans - 200, 914 and vlan 68

i tried to permit the addresses of the 3 vlan - 200,914 and 68 on vlan 210 filter, but what happened is it cant also access the 3 other vlan eventhough it is permitted

vlan 200 -  192.168.200.0

vlan 91 - 192.168.91.0

vlan 68 - 192.168.68.252

ip access-list extended VLAN-FILTER210

permit ip 192.168.210.0 0.0.0.255 192.168.250.0 0.0.0.255

ip access-list extended TRAFFIC-200-914-68

permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255   <------- Network Address of VLAN 200

permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255     <------- Network Address of VLAN 91

permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3     <------- Network Address of VLAN 68

vlan access-map VLAN-FILTER-210 20

match ip address VLAN-FILTER210

action drop

vlan access-map VLAN-FILTER-210 10

match ip address TRAFFIC-200-914-68

action forward

vlan filter VLAN-FILTER-210 vlan-list  210

what did I do wrong?

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

VLAN Access map problem

Hi,

Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
6 REPLIES

VLAN Access map problem

It seems your config is OK. Could you please post the result of "show vlan filter" "show vlan access-map" "show vlan access-list" ?

New Member

VLAN Access map problem

CORE_SWC#sho vlan access-map

Vlan access-map "VLAN-FILTER-210"  10

  Match clauses:

    ip  address: TRAFFIC-200-914-68

  Action:

    forward

Vlan access-map "VLAN-FILTER-210"  20

  Match clauses:

    ip  address: VLAN-FILTER210

  Action:

    drop

VLAN Map VLAN-FILTER-210 is filtering VLANs:

  210

New Member

Re: VLAN Access map problem

and 1 more thing guys

I replace the network addresses with

ip access-list extended TRAFFIC-200-914-68

permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255   <------- Network Address of VLAN 200

permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255     <------- Network Address of VLAN 91

permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3     <------- Network Address of VLAN 68

permit ip any any

and now it can ping other network addresses, how do i allow network addresses specifically? i tried to specifically add the said network addresses but it wont do, i dont know what did i do wrong

Purple

VLAN Access map problem

Hi,

Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: VLAN Access map problem

hi cadet, thanks for the enlightenment, for clarification, i can use VACL if i want to block the telnet/rdp on the whole vlan 200 network right?

Purple

VLAN Access map problem

Hi,

Yes you can use a VACL to filter traffic between hosts in the same VLAN.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
248
Views
0
Helpful
6
Replies
CreatePlease to create content