cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
0
Helpful
5
Replies

Struggling with Vlan ACL's

Steven Williams
Level 4
Level 4

Looking at this configuration:

vlan access-map GUEST_ACCESS_VACL 10

action forward

match ip address HTTP_AND_HTTPS

!

vlan access-map GUEST_ACCESS_VACL 20

action drop

match ip address ALL_IP

!

vlan filter GUEST_ACCESS_VACL vlan-list 60

!

ip access-list extended ALL_IP

permit ip any any

!

ip access-list extended HTTP_AND_HTTPS

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 443

permit tcp any eq 443 any

                  

These are called vlan ACL's but where in any of this does it tell me what vlan this applies to?

5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

Having the vacl configured doesn't automatically apply it. From your configuration however, the line

"vlan filter GUEST_ACCESS_VACL vlan-list 60"

is how it's applied. It's applied to vlan 60.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Ahhh. I was looking more at this:

vlan access-map GUEST_ACCESS_VACL 10

thinking it was being applied to vlan 10, but when connfiguring this in the switch it returned this:

SW1(config)#vlan access-map GUEST_ACCESS_VACL ?

  <0-65535>  Sequence to insert to/delete from existing vlan access-map entry

 

Which told me this is not how its applied to the vlan. I guess I would expect to see the vlan map applied under the SVI of the vlan that it is applied to.

You create the map with "vlan access-map" and apply it to vlan with "vlan filter" command.

This is just for layer-2 vlans. You don't apply vlan filter to SVIs.

HTH

In addition to what Reza stated, vlan acls are used for L2 intra-vlan traffic when you want to block a host from another host in the same vlan. L3 SVIs use standard acls to block inter-vlan traffic when one host is needing to be blocked from another in a different vlan.

So:

Block host in vlan 1 from accessing another host in vlan 1 - Use vacl

Block host in vlan 1 from accessing another host in vlan 20 - Use normal acl on the SVI

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Steven Williams
Level 4
Level 4

Steven Williams wrote:

Looking at this configuration:

vlan access-map GUEST_ACCESS_VACL 10

action forward

match ip address HTTP_AND_HTTPS

!

vlan access-map GUEST_ACCESS_VACL 20

action drop

match ip address ALL_IP

!

vlan filter GUEST_ACCESS_VACL vlan-list 60

!

ip access-list extended ALL_IP

permit ip any any

!

ip access-list extended HTTP_AND_HTTPS

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 443

permit tcp any eq 443 any

                  

      

Ok is the specific order that VACL's need to be configured? Could I essentially make the ip access-list's first then tie them to the map, then assign the map to the filter for the specific vlan? This kind of reminds me of route maps.

Also why do you have to do the rules like they are for the HTTP_AND_HTTPS ACL? permit tcp any any eq www, but then to have to permit tcp any eq www any?

I have never seen an ACL like that before, why would permit tcp any any eq www take care of all port 80 traffic in both directions?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco