×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VLAN Access List not working

Answered Question
Dec 20th, 2013
User Badges:
  • Silver, 250 points or more

I'm trying to create a VLAN access list on a switch with the following goal:


VLAN 60 should be able to communicate with all the other RFC-1918 IP's

VLAN 60 can not communicate outside to the internet


I have tried this, but it isn't working, I can't ping the hosts from VLAN60 to another VLAN.


vlan access-map VLAN60 10

action forward

match ip address VLAN60-Allow

vlan access-map VLAN60 20

action drop

!

vlan filter VLAN60 vlan-list 60

!

ip access-list extended VLAN60-Allow

permit ip any 10.0.0.0 0.255.255.255

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit udp any host 255.255.255.255 eq bootps

permit udp any any eq 1985

Correct Answer by Jon Marshall about 3 years 8 months ago

Mohammad


Personally i think if you are filtering between vlans only then you apply the acl on the L3 vlan interface. It is more intuitive, i think, to anyone else looking at the configuration.


If however you want to filter traffic within a vlan then that is where VACL are useful. And if you need to do both ie. filter within the vlan and to and from the vlan i think again VACLs are the way to go.


Jon

Correct Answer by Peter Paluch about 3 years 8 months ago

Mohammad,


Keep in mind that your VACL is consulted both for traffic leaving VLAN60 as well as the return traffic entering back. Your ACL does not seem to take the return traffic into account - that would explain why you can not ping host in other VLANs. In fact, you most probably can - but the responses don't make it back through the VACL.


I suggest correcting the ACL as follows:


ip access-list extended VLAN60-Allow

permit ip any 10.0.0.0 0.255.255.255

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit ip 10.0.0.0 0.255.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit udp any host 255.255.255.255 eq bootps

permit udp any eq bootps any eq bootpc

permit udp any any eq 1985

permit udp any eq 1985 any


Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Fri, 12/20/2013 - 13:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mohmmad


Are you doing this as a test to learn or in a production network ?


If it is production then just apply your acl to the L3 vlan interface and don't vlan access-lists ie.


int vlan 60

ip access-group VLAN60-Allow in


Jon

Mohammad Ali Fri, 12/20/2013 - 13:37
User Badges:
  • Silver, 250 points or more

Thank you Jon I have done the way you suggested and that definitely works.  But I'm trying to see what would be the benefit of using VLAN ACL on a L3 switch.  Currently this is in a test environment but it will go in production.

Correct Answer
Jon Marshall Fri, 12/20/2013 - 13:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mohammad


Personally i think if you are filtering between vlans only then you apply the acl on the L3 vlan interface. It is more intuitive, i think, to anyone else looking at the configuration.


If however you want to filter traffic within a vlan then that is where VACL are useful. And if you need to do both ie. filter within the vlan and to and from the vlan i think again VACLs are the way to go.


Jon

Correct Answer
Peter Paluch Fri, 12/20/2013 - 13:23
User Badges:
  • Cisco Employee,

Mohammad,


Keep in mind that your VACL is consulted both for traffic leaving VLAN60 as well as the return traffic entering back. Your ACL does not seem to take the return traffic into account - that would explain why you can not ping host in other VLANs. In fact, you most probably can - but the responses don't make it back through the VACL.


I suggest correcting the ACL as follows:


ip access-list extended VLAN60-Allow

permit ip any 10.0.0.0 0.255.255.255

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit ip 10.0.0.0 0.255.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit udp any host 255.255.255.255 eq bootps

permit udp any eq bootps any eq bootpc

permit udp any any eq 1985

permit udp any eq 1985 any


Best regards,

Peter

Mohammad Ali Fri, 12/20/2013 - 13:44
User Badges:
  • Silver, 250 points or more

Thank you Peter ok that makes sense.  Here is what I am doing now and I think it is working as expected.  Now just have to see should I use this or what Jon suggested in production what is the benefit of one over the other really.


ip access-list extended VLAN60-Allow

10 permit ip any 10.0.0.0 0.255.255.255

20 permit ip any 172.16.0.0 0.15.255.255

30 permit ip any 192.168.0.0 0.0.255.255

40 permit udp any host 255.255.255.255 eq bootps

50 permit udp any any eq 1985

!

ip access-list extended Block-Internet

10 permit ip any any

!

vlan access-map VLAN60 10

action forward

match ip address VLAN60-Allow

vlan access-map VLAN60 20

action drop

match ip address Block-Internet

!

vlan filter VLAN60 vlan-list 60

Actions

This Discussion