Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN Map issue

I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:

ip access-list extended testboxes

permit ip host x.x.x.x host x.x.x.x

vlan access-map denytest 10

match ip address testboxes

action drop

vlan filter denytest vlan-list 1

Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?



New Member

Re: VLAN Map issue

Unlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:

permit tcp host X.X.X.X host X.X.X.X eq telnet

Best Regards