06-21-2008 04:14 AM - edited 03-05-2019 11:45 PM
Hello friends
i have question about vlan map ACL
we have around 54 vlan
vlan1 for management
vlan10 for servers
we want to allow all users
to see vlan 1 & 10
and deny them to see each other
i done sample testing configuration
#######
ip access-list extended Allow-VLAN10&1
permit ip any 10.64.10.0 0.0.0.255
permit ip 10.64.10.0 0.0.0.255 any
permit ip any 10.64.1.0 0.0.0.255
permit ip 10.64.1.0 0.0.0.255 any
deny ip any any
vlan access-map AllowTrafficMap 10
match ip address Allow-VLAN10&1
action forward
vlan filter AllowTrafficMap vlan-list 49
######
if i applid vlan 49 cannot browsing
internet , we have Catalyst 4000 L3 Switch
please suggest me for the best solution
Metab
Best Regards,,
06-21-2008 08:47 AM
Simpler approach
access-list 10 deny [Vlan1]
access-list 10 permit any
access-list 1 deny [Vlan10]
access-list 1 permit any
interface Vlan 10
ip access-group 10 in
interface Vlan 1
ip access-group 1 in
HTH,
__
Edison.
Please rate helpful posts
06-21-2008 11:43 AM
what you type man it standard ACL
and what i talk about it vlan map ACL
so it different and i want be vlan 1 & 10
all the users see him , do you get my idea
06-21-2008 05:46 PM
Metab,
If i am reading this right, within each vlan you would like users from vlan 1 and vlan 10 to communicate with anyone in remaining vlans (for example 5,7,15... whatever number).
So in your above configuration.. this is what you are allowing within each vlan (in this example vlan 49):
10.64.10.x can do and see anyone
10.64.1.x can do and see anyone
everyone destined to everything else is dropped. Your deny ip any any at the end does nothing.. VACL's are like route-maps and a deny just means that there isn't a match on that particular Access-map statement. When that happens there is no VACL permit 20 with action forward so it denies the traffic. It basically could be removed.
So with that logic, any traffic within that vlan (including internet) will be dropped.
Here is what i would do if you want to use VACL's. If you have Vlan SVI's that might be a better option with L3 access-lists if your looking for alternatives.
List out your current VLAN ip subnets and summarize if possible
Vlan 1 = Subnet 1
Vlan 2 = Subnet 2
ip access-list extended DROP
permit ip any
permit ip any
** exclude vlan/subnet 10 and 1
vlan access-map VACL permit 10
match ip address DROP
action drop
vlan access-map VACL permit 20
action forward
vlan filter VACL vlan-list 49
Do this for all vlans except for 10 and 1.
For 10 and 1
ip access-list ext VLAN10
permit ip 10.64.10.0 0.0.0.255 any
permit ip any 10.64.10.0 0.0.0.255
ip access=list ext VLAN1
permit ip 10.64.1.0 0.0.0.255 any
permit ip any 10.64.1.0 0.0.0.255 any
vlan access-map VACL10 permit 10
match ip address VLAN1
action drop
vlan access-map VACL10 permit 20
action forward
vlan access-map VACL1 permit 10
match ip address VLAN10
action drop
vlan access-map VACL1 permit 20
action forward
vlan filter-list VACL10 vlan-list 10
vlan filter-list VACL1 vlan-list 1
Really might look at some Layer 3 acls as suggested before though
Regards,
Nate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide