[c-nsp] Restricted specific VLAN contacting other VLANs in catalyst 3750 switch

GarrettS garrett at skjelstad.org
Tue Sep 27 10:13:28 EDT 2022 

Since you have layer3 in the mix, why not just have ACLs on the each of the SVIs (Or Routed Interface) vs trying to use it on a VACL.

Is your existing configuration not working? I know on some 3750 models, there were some limitations in 12 code that may cause heartburn, but that was like 8 years ago.

If below is line-for-line, you probably need to add a forwarding statement under your access-group 20, with a permit any/match all, since the default is drop.

Good luck!

Reg,
-Garrett


On September 26, 2022 9:18:18 PM PDT, trgapp16 <trgapp16 at cdot.in> wrote:
>Thanks Garrett.
>
>Correct, PVLAN works if the interface connecting to internet is a layer 2 interface which can be configured as promiscuous port.
>
>What if the interface connecting to internet router is a layer 3 port having IP address.
>
>Thanks,
>
>Mounika M
>
>On Mon, 26 Sep 2022 19:33:36 -0700, Garrett via cisco-nsp wrote
>
>> isn't this what pvlans are for? 
>> 
>> On Mon, Sep 26, 2022, at 19:23, trgapp16 via cisco-nsp wrote: 
>> > Hello, 
>> > 
>> > We use Cisco Catalyst 3750 switch as  small data center (DC)/Core 
>> > Switch on which nearly 
>> > 200 VLANs sit, having internet connectivity through a ADSL modem/router. 
>> > 
>> > SVI/RVIs are defined for all these 200 VLANs on the same DC/Core Switch. 
>> > 
>> > We have the following requirement: 
>> > 
>> > VLAN 1 - 190: should communicate among themselves and to internet 
>> > 
>> > VLAN 191: having network address 192.168.1.0/28 should not communicate 
>> > with any other 
>> > VLAN except internet 
>> > 
>> > To meet this requirement we used the following VACL configuration 
>> > 
>> > SW(config)#access-list 100  permit ip 192.168.1.0 0.0.0.15 any 
>> > 
>> > SW(config)#vlan access-group XYZ 10 
>> > 
>> > SW(config-access-map)#match ip address 100 
>> > 
>> > SW(config-access-map)#action drop 
>> > 
>> > SW(config-access-map)#vlan access-group XYZ 20 
>> > 
>> > SW(config)#vlan filter XYZ vlan-list 1-190 
>> > 
>> > By doing this VLAN 1-190 are not able to contact vlan 191, but to internet and 
>> > among themselves(vlan 1-190). 
>> > 
>> > Hosts in VLAN 191 are not able to contact the hosts in 1-190 VLANs(this 
>> > is 
>> > also fine), but hosts in VLAN 191 are contacting the SVI/Gateways of 
>> > 1-190 VLANs. 
>> > 
>> > Is there anything wrong in my VACLs configuration or sequence of ACLs. 
>> > 
>> > Any help is greatly appreciated. 
>> > 
>> > Thanks in advance 
>> > 
>> > Mounika M 
>> > 
>> > ### Please consider the environment and print this email only if 
>> > necessary . Go Green 
>> > ### 
>> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
>> > Disclaimer : 
>> > This email and any files transmitted with it are confidential and 
>> > intended 
>> > solely for the use of the individual or entity to whom they are 
>> > addressed. 
>> > If you are not the intended recipient you are notified that disclosing, 
>> > copying, distributing or taking any action in reliance on the contents 
>> > of this 
>> > information is strictly prohibited. The sender does not accept 
>> > liability 
>> > for any errors or omissions in the contents of this message, which 
>> > arise as a 
>> > result. 
>> > 
>> > -- 
>> > Open WebMail Project (http://openwebmail.org) 
>> > 
>> > 
>> > _______________________________________________ 
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp 
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
>> _______________________________________________ 
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp 
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>### Please consider the environment and print this email only if necessary . Go Green ### 
>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
>Disclaimer : 
>This email and any files transmitted with it are confidential and intended 
>solely for the use of the individual or entity to whom they are addressed. 
>If you are not the intended recipient you are notified that disclosing, 
>copying, distributing or taking any action in reliance on the contents of this 
>information is strictly prohibited. The sender does not accept liability 
>for any errors or omissions in the contents of this message, which arise as a 
>result.
>
>-- 
>Open WebMail Project (http://openwebmail.org)
>
>

More information about the cisco-nsp mailing list