Manual
+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
388
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination
time-range t1
3. Configure the extended acl_b of IP, at any time it only allows to access resource within the
internal network (such as 192.168.1.255).
Switch(config)#ip access-list extended vacl_b
Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0
0.0.0.255
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination
4. Apply the configuration to VLAN
Switch(config)#firewall enable
Switch(config)#vacl ip access-group vacl_a in vlan 1
Switch(config)#vacl ip access-group vacl_b in vlan 2
51.4 VLAN-ACL Troubleshooting
When VLAN ACL and Port ACL are configured at the same time, the priority is
port>VLAN if the two acl are the same kind of ac, such as that they are all ip acl or they
are all mac acl. So only the rules on port is effective if the packets match the rule on
port and vlan at the same time. Now, it will not meet the principle of deny priority. If the
two acl are not the same kine of acl, it can meet the principle of deny priority.
Each ACL of different types can only apply one on a VLAN, such as the basic IP ACL,
each VLAN can applies one only.