08-05-2013 05:29 PM - edited 03-07-2019 02:45 PM
Looking at this configuration:
vlan access-map GUEST_ACCESS_VACL 10
action forward
match ip address HTTP_AND_HTTPS
!
vlan access-map GUEST_ACCESS_VACL 20
action drop
match ip address ALL_IP
!
vlan filter GUEST_ACCESS_VACL vlan-list 60
!
ip access-list extended ALL_IP
permit ip any any
!
ip access-list extended HTTP_AND_HTTPS
permit tcp any any eq www
permit tcp any eq www any
permit tcp any any eq 443
permit tcp any eq 443 any
These are called vlan ACL's but where in any of this does it tell me what vlan this applies to?
08-05-2013 05:33 PM
Having the vacl configured doesn't automatically apply it. From your configuration however, the line
"vlan filter GUEST_ACCESS_VACL vlan-list 60"
is how it's applied. It's applied to vlan 60.
HTH,
John
*** Please rate all useful posts ***
08-05-2013 05:45 PM
Ahhh. I was looking more at this:
vlan access-map GUEST_ACCESS_VACL 10
thinking it was being applied to vlan 10, but when connfiguring this in the switch it returned this:
SW1(config)#vlan access-map GUEST_ACCESS_VACL ?
<0-65535> Sequence to insert to/delete from existing vlan access-map entry
Which told me this is not how its applied to the vlan. I guess I would expect to see the vlan map applied under the SVI of the vlan that it is applied to.
08-05-2013 05:50 PM
You create the map with "vlan access-map" and apply it to vlan with "vlan filter" command.
This is just for layer-2 vlans. You don't apply vlan filter to SVIs.
HTH
08-05-2013 06:03 PM
In addition to what Reza stated, vlan acls are used for L2 intra-vlan traffic when you want to block a host from another host in the same vlan. L3 SVIs use standard acls to block inter-vlan traffic when one host is needing to be blocked from another in a different vlan.
So:
Block host in vlan 1 from accessing another host in vlan 1 - Use vacl
Block host in vlan 1 from accessing another host in vlan 20 - Use normal acl on the SVI
HTH,
John
*** Please rate all useful posts ***
08-06-2013 05:36 PM
Steven Williams wrote:
Looking at this configuration:
vlan access-map GUEST_ACCESS_VACL 10
action forward
match ip address HTTP_AND_HTTPS
!
vlan access-map GUEST_ACCESS_VACL 20
action drop
match ip address ALL_IP
!
vlan filter GUEST_ACCESS_VACL vlan-list 60
!
ip access-list extended ALL_IP
permit ip any any
!
ip access-list extended HTTP_AND_HTTPS
permit tcp any any eq www
permit tcp any eq www any
permit tcp any any eq 443
permit tcp any eq 443 any
Ok is the specific order that VACL's need to be configured? Could I essentially make the ip access-list's first then tie them to the map, then assign the map to the filter for the specific vlan? This kind of reminds me of route maps.
Also why do you have to do the rules like they are for the HTTP_AND_HTTPS ACL? permit tcp any any eq www, but then to have to permit tcp any eq www any?
I have never seen an ACL like that before, why would permit tcp any any eq www take care of all port 80 traffic in both directions?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: