Since you have layer3 in the mix, why not just have ACLs on the each of the SVIs (Or Routed Interface) vs trying to use it on a VACL.
Is your existing configuration not working? I know on some 3750 models, there were some limitations in 12 code that may cause heartburn, but that was like 8 years ago. If below is line-for-line, you probably need to add a forwarding statement under your access-group 20, with a permit any/match all, since the default is drop. Good luck! Reg, -Garrett On September 26, 2022 9:18:18 PM PDT, trgapp16 <trgap...@cdot.in> wrote: >Thanks Garrett. > >Correct, PVLAN works if the interface connecting to internet is a layer 2 >interface which can be configured as promiscuous port. > >What if the interface connecting to internet router is a layer 3 port having >IP address. > >Thanks, > >Mounika M > >On Mon, 26 Sep 2022 19:33:36 -0700, Garrett via cisco-nsp wrote > >> isn't this what pvlans are for? >> >> On Mon, Sep 26, 2022, at 19:23, trgapp16 via cisco-nsp wrote: >> > Hello, >> > >> > We use Cisco Catalyst 3750 switch as small data center (DC)/Core >> > Switch on which nearly >> > 200 VLANs sit, having internet connectivity through a ADSL modem/router. >> > >> > SVI/RVIs are defined for all these 200 VLANs on the same DC/Core Switch. >> > >> > We have the following requirement: >> > >> > VLAN 1 - 190: should communicate among themselves and to internet >> > >> > VLAN 191: having network address 192.168.1.0/28 should not communicate >> > with any other >> > VLAN except internet >> > >> > To meet this requirement we used the following VACL configuration >> > >> > SW(config)#access-list 100 permit ip 192.168.1.0 0.0.0.15 any >> > >> > SW(config)#vlan access-group XYZ 10 >> > >> > SW(config-access-map)#match ip address 100 >> > >> > SW(config-access-map)#action drop >> > >> > SW(config-access-map)#vlan access-group XYZ 20 >> > >> > SW(config)#vlan filter XYZ vlan-list 1-190 >> > >> > By doing this VLAN 1-190 are not able to contact vlan 191, but to internet >> > and >> > among themselves(vlan 1-190). >> > >> > Hosts in VLAN 191 are not able to contact the hosts in 1-190 VLANs(this >> > is >> > also fine), but hosts in VLAN 191 are contacting the SVI/Gateways of >> > 1-190 VLANs. >> > >> > Is there anything wrong in my VACLs configuration or sequence of ACLs. >> > >> > Any help is greatly appreciated. >> > >> > Thanks in advance >> > >> > Mounika M >> > >> > ### Please consider the environment and print this email only if >> > necessary . Go Green >> > ### >> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> > >> > Disclaimer : >> > This email and any files transmitted with it are confidential and >> > intended >> > solely for the use of the individual or entity to whom they are >> > addressed. >> > If you are not the intended recipient you are notified that disclosing, >> > copying, distributing or taking any action in reliance on the contents >> > of this >> > information is strictly prohibited. The sender does not accept >> > liability >> > for any errors or omissions in the contents of this message, which >> > arise as a >> > result. >> > >> > -- >> > Open WebMail Project (http://openwebmail.org) >> > >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >### Please consider the environment and print this email only if necessary . >Go Green ### >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >Disclaimer : >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. >If you are not the intended recipient you are notified that disclosing, >copying, distributing or taking any action in reliance on the contents of this >information is strictly prohibited. The sender does not accept liability >for any errors or omissions in the contents of this message, which arise as a >result. > >-- >Open WebMail Project (http://openwebmail.org) > > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
