4 vlan-acl troubleshooting, Vlan-acl, Roubleshooting – PLANET WGSW-52040 User Manual

53-4

Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00

2) Configure the extended acl_a of IP, at working hours it only allows to access the resource within the internal

network (such as 192.168.0.255).

Switch(config)# ip access-list extended vacl_a

Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0.0.0.255 time-range t1

Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1

3) Configure the extended acl_b of IP, at any time it only allows to access resource within the internal network

(such as 192.168.1.255).

Switch(config)#ip access-list extended vacl_b

Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.255

Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination

4) Apply the configuration to VLAN

Switch(config)#firewall enable

Switch(config)#vacl ip access-group vacl_a in vlan 1

Switch(config)#vacl ip access-group vacl_b in vlan 2

53.4 VLAN-ACL Troubleshooting



When VLAN ACL and Port ACL are configured at the same time, the priority is port>VLAN if the two acl

are the same kind of ac, such as that they are all ip acl or they are all mac acl. So only the rules on port

is effective if the packets match the rule on port and vlan at the same time. Now, it will not meet the

principle of deny priority. If the two acl are not the same kine of acl, it can meet the principle of deny

priority.



Each ACL of different types can only apply one on a VLAN, such as the basic IP ACL, each VLAN can

applies one only.