cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
550
Views
0
Helpful
10
Replies

Understanding Vlan ACL's

dan_track
Level 1
Level 1

Hi

Yesterday I put a vlan acl on a vlan that pretty much blocked everything except for a number of ports. When I put the access-list on, I saw on the acl logging that it was blocking pc's in the vlan from accessing multicast addresses that were only present within the same vlan i.e there was no need to for the pc's to leave the vlan.

I can't understand this I thought vlan acl's only kick in when crossing vlan boundary's, from the above it also seems that it controls behaviour within the vlan aswell.

Can someone please explain how that can be and what am I missing about vlan acl's?

Thanks

Dan

10 Replies 10

Istvan_Rabai
Level 7
Level 7

Hi Dan,

Your practical experience reflects how vlan acls work in practice.

The effect of vlan acls applies to the vlan (i.e. to all traffic within a vlan), not to the traffic on specific ports.

This is why you cannot configure the direction of vlan acls, like you used to do it for router acls (in or out).

Also, vlan acls are applied to vlans, not ports, during the configuration phase.

Cheers:

Istvan

Thanks for the info,

I've applied the acl's like this:

int vlan 10

ip access-group WAN-In in

ip access-group WAN-Out out

exit

The above doesn't fit in with your statement:

"This is why you cannot configure the direction of vlan acls, like you used to do it for router acls (in or out). "

If this is true what is the effect of me doing the above access-group statements?

Thanks

Dan

Dan

Could you post the acl. I think there is some confusion over what you mean by a vlan acl.

If you are using the access-group command to apply them then they are standard acls ie. they work at L3 and block traffic between vlans.

Istvan was talking about vlan maps that restrict traffic within the same vlan and these are not directional as he said.

Jon

Hi Dan,

As Jon also says, your configuration uses router acls applied to the vlan interface.

Here is some information for you about vlan acls:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

Cheers:

Istvan

Hi Jon,

Looks like my lack of knowledge is impeding me again!

Here's my acl's:

sh access-lists WAN-In

Extended IP access list WAN-In

110 permit tcp any any eq 445

120 permit udp any any eq 445

130 permit udp any any eq snmp

140 permit udp any any eq snmptrap

150 permit tcp any any eq 389

160 permit udp any any eq 389

170 permit tcp any any eq 3268

180 permit udp any any eq 3268

190 permit tcp any any eq 3389

200 permit udp any any eq 3389

210 permit tcp any any eq 135

220 permit udp any any eq 135

230 permit udp any any eq netbios-ns

240 permit udp any any eq netbios-dgm

250 permit udp any any eq netbios-ss

260 deny ip any any log

sh access-lists WAN-Out

Extended IP access list WAN-Out

110 permit tcp any any eq 445

120 permit udp any any eq 445

130 permit udp any any eq snmp

140 permit udp any any eq snmptrap

150 permit tcp any any eq 389

160 permit udp any any eq 389

170 permit tcp any any eq 3268

180 permit udp any any eq 3268

190 permit tcp any any eq 3389

200 permit udp any any eq 3389

210 permit tcp any any eq 135

220 permit udp any any eq 135

230 permit udp any any eq netbios-ns

240 permit udp any any eq netbios-dgm

250 permit udp any any eq netbios-ss

260 deny ip any any log

Thanks Dan

Dan

What was the log message for the multicast traffic that was dropped ie. source/destination etc.

Jon

Here's the message:

Jul 16 16:43:08 CST: %SEC-6-IPACCESSLOGNP: list WAN-In denied 113 10.65.50.10 -> 239.255.3.20, 1 packet

Dan

Dan

Is that multicast address being used in your LAN ?

There is no reason why this couldn't hit the L3 vlan interface ie. nothing specifies that it has to be on the same vlan.

Jon

Hi Jon,

Yes that mutlicast address is only being used in the vlan that I have attached the acl to.

I'm not sure what you meant by your second sentence. Why would the access-list block the mutlicast address if the address only resides within the vlan only?

Thanks

Dan

Dan

Because the port that the router is connected to receives the multicast packet and so drops it because of the acl. Doesn't really matter that your are only using that multicast address within that subnet. It's not a local address in the same sense that the IP subnet range is.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: