Re: vlan map ACL

motaibi-9 · ‎06-21-2008

Hello friends

i have question about vlan map ACL

we have around 54 vlan

vlan1 for management

vlan10 for servers

we want to allow all users

to see vlan 1 & 10

and deny them to see each other

i done sample testing configuration

#######

ip access-list extended Allow-VLAN10&1

permit ip any 10.64.10.0 0.0.0.255

permit ip 10.64.10.0 0.0.0.255 any

permit ip any 10.64.1.0 0.0.0.255

permit ip 10.64.1.0 0.0.0.255 any

deny ip any any

vlan access-map AllowTrafficMap 10

match ip address Allow-VLAN10&1

action forward

vlan filter AllowTrafficMap vlan-list 49

######

if i applid vlan 49 cannot browsing

internet , we have Catalyst 4000 L3 Switch

please suggest me for the best solution

Metab

Best Regards,,

Edison Ortiz · ‎06-21-2008

Simpler approach

access-list 10 deny [Vlan1]

access-list 10 permit any

access-list 1 deny [Vlan10]

access-list 1 permit any

interface Vlan 10

ip access-group 10 in

interface Vlan 1

ip access-group 1 in

HTH,

__

Edison.

Please rate helpful posts

motaibi-9 · ‎06-21-2008

what you type man it standard ACL

and what i talk about it vlan map ACL

so it different and i want be vlan 1 & 10

all the users see him , do you get my idea

nathancielieska · ‎06-21-2008

Metab,

If i am reading this right, within each vlan you would like users from vlan 1 and vlan 10 to communicate with anyone in remaining vlans (for example 5,7,15... whatever number).

So in your above configuration.. this is what you are allowing within each vlan (in this example vlan 49):

10.64.10.x can do and see anyone

10.64.1.x can do and see anyone

everyone destined to everything else is dropped. Your deny ip any any at the end does nothing.. VACL's are like route-maps and a deny just means that there isn't a match on that particular Access-map statement. When that happens there is no VACL permit 20 with action forward so it denies the traffic. It basically could be removed.

So with that logic, any traffic within that vlan (including internet) will be dropped.

Here is what i would do if you want to use VACL's. If you have Vlan SVI's that might be a better option with L3 access-lists if your looking for alternatives.

List out your current VLAN ip subnets and summarize if possible

Vlan 1 = Subnet 1

Vlan 2 = Subnet 2

ip access-list extended DROP

permit ip any

** exclude vlan/subnet 10 and 1

vlan access-map VACL permit 10

match ip address DROP

action drop

vlan access-map VACL permit 20

action forward

vlan filter VACL vlan-list 49

Do this for all vlans except for 10 and 1.

For 10 and 1

ip access-list ext VLAN10

permit ip 10.64.10.0 0.0.0.255 any

permit ip any 10.64.10.0 0.0.0.255

ip access=list ext VLAN1

permit ip 10.64.1.0 0.0.0.255 any

permit ip any 10.64.1.0 0.0.0.255 any

vlan access-map VACL10 permit 10

match ip address VLAN1

action drop

vlan access-map VACL10 permit 20

action forward

vlan access-map VACL1 permit 10

match ip address VLAN10

action drop

vlan access-map VACL1 permit 20

action forward

vlan filter-list VACL10 vlan-list 10

vlan filter-list VACL1 vlan-list 1

Really might look at some Layer 3 acls as suggested before though

Regards,

Nate