Restrict Access to VLAN

Unanswered Question

I am trying to restrict traffic into a vlan on a 3750. I only want to allow access from specific IP addresses and drop everything else. I setup the following ACL and vlan map configs on the 3750.



ip access-list extended QA_VLAN_ACL


permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any


vlan access-map QA_VLAN_MAP 10

action forward

match ip address QA_VLAN_ACL


vlan filter QA_VLAN_MAP vlan-list 325



However, it doesn't seem to work. If I have the action set to forward than everything gets through and nothing is dropped. If I set the action to drop everything is dropped. I am not sure what I am doing wrong. Any help that can be provided will be much appreciated. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Sat, 03/08/2008 - 10:02
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Hi Ernest,


VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.


If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.


If there is no match clause for that type of packet, the default is to forward the packet.


Can you add deny ip any any at the end of the ACL and see if the behavior changes?


HTH,


__


Edison.

Edison Ortiz Sun, 03/09/2008 - 11:41
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Please post the whole config.


__


Edison.

Edison Ortiz Sun, 03/09/2008 - 12:08
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Try this approach:


vlan access-map QA_VLAN_MAP 10

match ip address QA_VLAN_ACL

action forward

vlan access-map QA_VLAN_MAP 20

match ip address QA_VLAN_ACL_DROP

action drop

!

!

!

ip access-list extended QA_VLAN_ACL

permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any

ip access-list extended QA_VLAN_ACL_DROP

permit ip any any



HTH,


__


Edison.

Edison Ortiz Tue, 03/11/2008 - 11:59
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The ACL is affecting devices on Vlan 310 (Subnet 10.3.10.x) therefore the vlan-list should be applied to 310 not 325.


__


Edison.

joshkurtz Tue, 03/11/2008 - 10:59
User Badges:

I am having the same problem, I am using a 3560 and whenever I try to drop a subnet everything is dropped.

Actions

This Discussion