Do the VIP user fall into the same subnet after authentication as the normal users or are they falling into the a different subnet?
Have you applied these ACLs to the pre-auth role or the post-auth role?
The ACLs posted here need some fine tuning specific to your requirement.
If they are falling into different subnets, then
Create an Alias and map the VIP user's subnet to that Alias
Use the " netdestination " command to configure the Alias.
Call it " VIP_Users " for example.
Create another Alias for normal users and map the normal user's subnet
Call it " Normal_Users"
to deny traffic between these two types of users create the access lists as follows
// denies all traffic from the VIP to normal users
VIP_Users Normal_Users any deny
// denies all traffic from the normal users to the VIP
Normal_Users VIP_Users any deny
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.