VLAN access-list

Answered Question

I have written a VACL and have a couple of questions.


It goes like this:


access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14
access-list 104 deny ip any any log



vlan access-map backup_net 10
match ip address 104
action forward


vlan filter backup_net vlan-list 4



I do not get any logs from my deny any any log statement. Am I doing something wrong? Is the something different about logging from extended ip access-list vs. VACL? I need to be able to see what is being dropped with the log command.


Any input would be greatly apprecaited!


Doug

Correct Answer by Jayakrishna Mada about 6 years 7 months ago

Try this if this is a 6500 switch, if not there is no vacl logging support on other platforms:


access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14



vlan access-map backup_net 10
match ip address 104
action forward

vlan access-map backup_net 10

action drop log


vlan filter backup_net vlan-list 4


Just FYI, not sure if you already know this,


VACL is direction less, traffic in both direction will get affect when you apply this for a VLAN.


Using LOG keyword could cause high cpu

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jayakrishna Mada Fri, 08/13/2010 - 11:08
User Badges:
  • Cisco Employee,

Try this if this is a 6500 switch, if not there is no vacl logging support on other platforms:


access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14



vlan access-map backup_net 10
match ip address 104
action forward

vlan access-map backup_net 10

action drop log


vlan filter backup_net vlan-list 4


Just FYI, not sure if you already know this,


VACL is direction less, traffic in both direction will get affect when you apply this for a VLAN.


Using LOG keyword could cause high cpu

Mada,


Thank you for the input. This what I ended up using...



access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14
access-list 104 permit icmp host 172.16.16.14 172.16.16.0 0.0.3.255
access-list 105 remark Drop for backup_net access-map
access-list 105 permit ip any any


vlan access-map backup_net 10
match ip address 104
action forward
vlan access-map backup_net 20
match ip address 105
action drop log


vlan filter backup_net vlan-list 4


Thanks again for pointing me in the right direction!


Doug

Actions

This Discussion