VLAN filtering not working as expected

Unanswered Question
Feb 4th, 2009

I am trying to kill off some NETBIOS traffic within a VLAN with a VLAN filter map so it dosn't keep filling up my logs when it fails against the inbound ACL on the VLAN interface but it is not working as I expect it to (and my other VLAN filter maps are).

I am working with VLAN 4, so I have:

interface Vlan4

description Console and Management Traffic

ip address 172.17.0.97 255.255.255.224

ip access-group Console_NetIn in

ip access-group Console_NetOut out

end

My IP Access-list:

Extended IP access list NetBiosMap

10 permit udp host 172.17.0.98 host 172.17.0.127 range 127 128

20 permit udp host 172.17.0.98 eq 127 any

30 permit udp host 172.17.0.98 eq 128 any

My Vlan Access-map:

vlan access-map Filter_VL4 10

action drop

match ip address NetBiosMap

vlan access-map Filter_VL4 20

action forward

Applied:

vlan filter Filter_VL4 vlan-list 4

Verify:

VLAN Map Filter_VL4 is filtering VLANs:

4

--------------- but -----------

I keep getting:

Feb 4 13:56:34: %SEC-6-IPACCESSLOGP: list Console_NetIn denied udp 172.17.0.98(138) -> 172.17.0.127(138), 1 packet

ARGH! Help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bill.morton@dmu.edu Wed, 02/04/2009 - 12:42

I think that that is what I have already done ... it is very similar to this: http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1082532

vlan access-map Filter_VL4 10

action drop

match ip address NetBiosMap

vlan access-map Filter_VL4 20

action forward

My first access-map statement matches the traffic I want to drop, the second access-map statement passes everything else.

Actions

This Discussion