VACL: Restricting access using Vlan ACL.

by Cyrus Lok on Tuesday, June 8, 2010 at 11:28pm

Create a list of traffic that you want to restrict the vlan to access, in this example I want to restrict vlan 30 and 40 from accessing ftp, www and telnet

3550-1(config)#ip access-list extended vacl-ftp-www-telnet
3550-1(config-ext-nacl)#permit tcp any any eq www
3550-1(config-ext-nacl)#permit tcp any any eq ftp
3550-1(config-ext-nacl)#permit tcp any any eq telnet

3550-1(config)#vlan access-map vlan-deny-access
3550-1(config-access-map)#match ip address vacl-ftp-www-telnet
3550-1(config-access-map)#action drop
3550-1(config-access-map)#exit

Apply the vacl to vlan(s)
3550-1(config)#vlan filter vlan-deny-access vlan-list 30 , 40

3550-1(config)#vlan filter vlan-deny-access vlan-list 20 ?
, comma
– hyphen

As you can see above, vlan ACL can be applied to one vlan or a range of vlan.

To verify:
3550-1#sh vlan filter
VLAN Map vlan-deny-access is filtering VLANs:
30,40

To verify vlan acl configuration:
3550-1#sh vlan access-map
Vlan access-map “vlan30-deny-ftp-www-telnet” 10
Match clauses:
ip address: vacl-ftp-www-telnet
Action:
drop
Vlan access-map “vlan-deny-access” 10
Match clauses:
ip address: vacl-ftp-www-telnet
Action:
drop

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

VACL: Restricting access using Vlan ACL.

Share this:

Like this:

Related

Published by cyruslab

Leave a Reply Cancel reply