Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1574
Views
0
Helpful
5
Replies

VLAN Access List not working

Go to solution
ALIAOF_
Level 6
Level 6

‎12-20-2013 01:17 PM - edited ‎03-07-2019 05:12 PM

I'm trying to create a VLAN access list on a switch with the following goal:

VLAN 60 should be able to communicate with all the other RFC-1918 IP's

VLAN 60 can not communicate outside to the internet

I have tried this, but it isn't working, I can't ping the hosts from VLAN60 to another VLAN.

vlan access-map VLAN60 10

action forward

match ip address VLAN60-Allow

vlan access-map VLAN60 20

action drop

!

vlan filter VLAN60 vlan-list 60

!

ip access-list extended VLAN60-Allow

permit ip any 10.0.0.0 0.255.255.255

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit udp any host 255.255.255.255 eq bootps

permit udp any any eq 1985

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-20-2013 01:23 PM

Mohammad,

Keep in mind that your VACL is consulted both for traffic leaving VLAN60 as well as the return traffic entering back. Your ACL does not seem to take the return traffic into account - that would explain why you can not ping host in other VLANs. In fact, you most probably can - but the responses don't make it back through the VACL.

I suggest correcting the ACL as follows:

ip access-list extended VLAN60-Allow

permit ip any 10.0.0.0 0.255.255.255

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit ip 10.0.0.0 0.255.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit udp any host 255.255.255.255 eq bootps

permit udp any eq bootps any eq bootpc

permit udp any any eq 1985

permit udp any eq 1985 any

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ALIAOF_

‎12-20-2013 01:40 PM

Mohammad

Personally i think if you are filtering between vlans only then you apply the acl on the L3 vlan interface. It is more intuitive, i think, to anyone else looking at the configuration.

If however you want to filter traffic within a vlan then that is where VACL are useful. And if you need to do both ie. filter within the vlan and to and from the vlan i think again VACLs are the way to go.

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-20-2013 01:22 PM

Mohmmad

Are you doing this as a test to learn or in a production network ?

If it is production then just apply your acl to the L3 vlan interface and don't vlan access-lists ie.

int vlan 60

ip access-group VLAN60-Allow in

Jon

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Jon Marshall

‎12-20-2013 01:37 PM

Thank you Jon I have done the way you suggested and that definitely works.  But I'm trying to see what would be the benefit of using VLAN ACL on a L3 switch.  Currently this is in a test environment but it will go in production.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ALIAOF_

‎12-20-2013 01:40 PM

Mohammad

Personally i think if you are filtering between vlans only then you apply the acl on the L3 vlan interface. It is more intuitive, i think, to anyone else looking at the configuration.

If however you want to filter traffic within a vlan then that is where VACL are useful. And if you need to do both ie. filter within the vlan and to and from the vlan i think again VACLs are the way to go.

Jon

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-20-2013 01:23 PM

Mohammad,

Keep in mind that your VACL is consulted both for traffic leaving VLAN60 as well as the return traffic entering back. Your ACL does not seem to take the return traffic into account - that would explain why you can not ping host in other VLANs. In fact, you most probably can - but the responses don't make it back through the VACL.

I suggest correcting the ACL as follows:

ip access-list extended VLAN60-Allow

permit ip any 10.0.0.0 0.255.255.255

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit ip 10.0.0.0 0.255.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit udp any host 255.255.255.255 eq bootps

permit udp any eq bootps any eq bootpc

permit udp any any eq 1985

permit udp any eq 1985 any

Best regards,

Peter

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Peter Paluch

‎12-20-2013 01:44 PM

Thank you Peter ok that makes sense.  Here is what I am doing now and I think it is working as expected.  Now just have to see should I use this or what Jon suggested in production what is the benefit of one over the other really.

ip access-list extended VLAN60-Allow

10 permit ip any 10.0.0.0 0.255.255.255

20 permit ip any 172.16.0.0 0.15.255.255

30 permit ip any 192.168.0.0 0.0.255.255

40 permit udp any host 255.255.255.255 eq bootps

50 permit udp any any eq 1985

!

ip access-list extended Block-Internet

10 permit ip any any

!

vlan access-map VLAN60 10

action forward

match ip address VLAN60-Allow

vlan access-map VLAN60 20

action drop

match ip address Block-Internet

!

vlan filter VLAN60 vlan-list 60

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card