Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN ACL not working

i want to block everything vlan 210 from accessing vlan 250 and vice versa but it doesnt work

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

vlan access-map VLAN250MAP 250

action forward

match ip address ALLOW_VLAN250

vlan access-map VLAN250MAP 210

action drop

match ip address BLOCK_VLAN210

!

vlan filter VLAN250MAP vlan-list 210

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

VLAN ACL not working

Try this:

VLAN 210: 1.1.1.0/24

VLAN 250 2.2.2.0/24

ip access-list extended VLAN-FILTER

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended ANY-TRAFFIC

permit ip any any

vlan access-map VLAN-FILTER-210 10

match ip address VLAN-FILTER

action drop log

vlan access-map VLAN-FILTER-210 20

match ip address ANY-TRAFFIC

action forward

vlan filter VLAN-FILTER-210 vlan-list  210

5 REPLIES

VLAN ACL not working

I have done something like this but just using ACL's and then applying to the VLAN interface "in"

Can you paste the ip access list in here too?

New Member

VLAN ACL not working

this is the only ACL

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

Silver

VLAN ACL not working

Hi, you might want to add VLAN250 in your filter list. VACL does work on only one direction as we have tried this on some of our call recording packet captures. Also, why do you have to go all the way down to VACL level if you can have it blocked on the L3 port/VLAN side? Just a thought.

---

Posted by WebUser John Patrick Lopez from Cisco Support Community App

New Member

Re: VLAN ACL not working

hi John,

I already added 250 on my filter list - but it still aint working, i want to go down to the VACL level because it is a requirement for compliance we are working right now

ip access-list extended ALLOW_VLAN250

permit ip any any

ip access-list extended BLOCK_VLAN210

deny ip any any

deny icmp any any

vlan access-map VLAN250MAP 250

action forward

match ip address ALLOW_VLAN250

vlan access-map VLAN250MAP 210

action drop

match ip address BLOCK_VLAN210

!

vlan filter VLAN250MAP vlan-list 210

vlan filter VLAN210MAP vlan-list 250

Bronze

VLAN ACL not working

Try this:

VLAN 210: 1.1.1.0/24

VLAN 250 2.2.2.0/24

ip access-list extended VLAN-FILTER

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended ANY-TRAFFIC

permit ip any any

vlan access-map VLAN-FILTER-210 10

match ip address VLAN-FILTER

action drop log

vlan access-map VLAN-FILTER-210 20

match ip address ANY-TRAFFIC

action forward

vlan filter VLAN-FILTER-210 vlan-list  210

228
Views
0
Helpful
5
Replies
CreatePlease login to create content