Solved: VLAN Access map problem

radarbackwards · ‎07-13-2013

Scenario is :

vlan 210 must not access vlan 250

vlan 210 can access other vlans - 200, 914 and vlan 68

i tried to permit the addresses of the 3 vlan - 200,914 and 68 on vlan 210 filter, but what happened is it cant also access the 3 other vlan eventhough it is permitted

vlan 200 - 192.168.200.0

vlan 91 - 192.168.91.0

vlan 68 - 192.168.68.252

ip access-list extended VLAN-FILTER210

permit ip 192.168.210.0 0.0.0.255 192.168.250.0 0.0.0.255

ip access-list extended TRAFFIC-200-914-68

permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255 <------- Network Address of VLAN 200

permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255 <------- Network Address of VLAN 91

permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3 <------- Network Address of VLAN 68

vlan access-map VLAN-FILTER-210 20

match ip address VLAN-FILTER210

action drop

vlan access-map VLAN-FILTER-210 10

match ip address TRAFFIC-200-914-68

action forward

vlan filter VLAN-FILTER-210 vlan-list 210

what did I do wrong?

cadet alain · ‎07-15-2013

Hi,

Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

Eduardo Aliaga · ‎07-14-2013

It seems your config is OK. Could you please post the result of "show vlan filter" "show vlan access-map" "show vlan access-list" ?

radarbackwards · ‎07-14-2013

CORE_SWC#sho vlan access-map

Vlan access-map "VLAN-FILTER-210" 10

Match clauses:

ip address: TRAFFIC-200-914-68

Action:

forward

Vlan access-map "VLAN-FILTER-210" 20

Match clauses:

ip address: VLAN-FILTER210

Action:

drop

VLAN Map VLAN-FILTER-210 is filtering VLANs:

210

radarbackwards · ‎07-15-2013

and 1 more thing guys

I replace the network addresses with

ip access-list extended TRAFFIC-200-914-68

permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255 <------- Network Address of VLAN 200

permit ip 192.168.210.0 0.0.0.255 192.168.91.0 0.0.0.255 <------- Network Address of VLAN 91

permit ip 192.168.210.0 0.0.0.255 192.168.68.252 0.0.0.3 <------- Network Address of VLAN 68

permit ip any any

and now it can ping other network addresses, how do i allow network addresses specifically? i tried to specifically add the said network addresses but it wont do, i dont know what did i do wrong

cadet alain · ‎07-15-2013

Hi,

Why are you using a VACL to filter inter vlan traffic ? a VACL is for filtering intra vlan traffic and for inter vlan traffic it is best to use a RACL applied on the SVI.

Regards

Alain

Don't forget to rate helpful posts.

radarbackwards · ‎07-15-2013

hi cadet, thanks for the enlightenment, for clarification, i can use VACL if i want to block the telnet/rdp on the whole vlan 200 network right?

cadet alain · ‎07-15-2013

Hi,

Yes you can use a VACL to filter traffic between hosts in the same VLAN.

Regards

Alain

Don't forget to rate helpful posts.