×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Struggling with Vlan ACL's

Unanswered Question
Aug 5th, 2013
User Badges:

Looking at this configuration:


vlan access-map GUEST_ACCESS_VACL 10

action forward

match ip address HTTP_AND_HTTPS

!

vlan access-map GUEST_ACCESS_VACL 20

action drop

match ip address ALL_IP

!

vlan filter GUEST_ACCESS_VACL vlan-list 60

!

ip access-list extended ALL_IP

permit ip any any

!

ip access-list extended HTTP_AND_HTTPS

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 443

permit tcp any eq 443 any

                  


These are called vlan ACL's but where in any of this does it tell me what vlan this applies to?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 08/05/2013 - 17:33
User Badges:
  • Purple, 4500 points or more

Having the vacl configured doesn't automatically apply it. From your configuration however, the line


"vlan filter GUEST_ACCESS_VACL vlan-list 60"


is how it's applied. It's applied to vlan 60.



HTH,
John

*** Please rate all useful posts ***

Steven Williams Mon, 08/05/2013 - 17:45
User Badges:

Ahhh. I was looking more at this:


vlan access-map GUEST_ACCESS_VACL 10


thinking it was being applied to vlan 10, but when connfiguring this in the switch it returned this:


SW1(config)#vlan access-map GUEST_ACCESS_VACL ?

  <0-65535>  Sequence to insert to/delete from existing vlan access-map entry

 


Which told me this is not how its applied to the vlan. I guess I would expect to see the vlan map applied under the SVI of the vlan that it is applied to.







Reza Sharifi Mon, 08/05/2013 - 17:50
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

You create the map with "vlan access-map" and apply it to vlan with "vlan filter" command.

This is just for layer-2 vlans. You don't apply vlan filter to SVIs.


HTH

John Blakley Mon, 08/05/2013 - 18:03
User Badges:
  • Purple, 4500 points or more

In addition to what Reza stated, vlan acls are used for L2 intra-vlan traffic when you want to block a host from another host in the same vlan. L3 SVIs use standard acls to block inter-vlan traffic when one host is needing to be blocked from another in a different vlan.


So:


Block host in vlan 1 from accessing another host in vlan 1 - Use vacl

Block host in vlan 1 from accessing another host in vlan 20 - Use normal acl on the SVI


HTH,
John

*** Please rate all useful posts ***

Steven Williams Tue, 08/06/2013 - 17:36
User Badges:

Steven Williams wrote:


Looking at this configuration:


vlan access-map GUEST_ACCESS_VACL 10

action forward

match ip address HTTP_AND_HTTPS

!

vlan access-map GUEST_ACCESS_VACL 20

action drop

match ip address ALL_IP

!

vlan filter GUEST_ACCESS_VACL vlan-list 60

!

ip access-list extended ALL_IP

permit ip any any

!

ip access-list extended HTTP_AND_HTTPS

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 443

permit tcp any eq 443 any


                  



      

Ok is the specific order that VACL's need to be configured? Could I essentially make the ip access-list's first then tie them to the map, then assign the map to the filter for the specific vlan? This kind of reminds me of route maps.


Also why do you have to do the rules like they are for the HTTP_AND_HTTPS ACL? permit tcp any any eq www, but then to have to permit tcp any eq www any?


I have never seen an ACL like that before, why would permit tcp any any eq www take care of all port 80 traffic in both directions?

Actions

This Discussion