12-20-2013 01:17 PM - edited 03-07-2019 05:12 PM
I'm trying to create a VLAN access list on a switch with the following goal:
VLAN 60 should be able to communicate with all the other RFC-1918 IP's
VLAN 60 can not communicate outside to the internet
I have tried this, but it isn't working, I can't ping the hosts from VLAN60 to another VLAN.
vlan access-map VLAN60 10
action forward
match ip address VLAN60-Allow
vlan access-map VLAN60 20
action drop
!
vlan filter VLAN60 vlan-list 60
!
ip access-list extended VLAN60-Allow
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
permit udp any host 255.255.255.255 eq bootps
permit udp any any eq 1985
Solved! Go to Solution.
12-20-2013 01:23 PM
Mohammad,
Keep in mind that your VACL is consulted both for traffic leaving VLAN60 as well as the return traffic entering back. Your ACL does not seem to take the return traffic into account - that would explain why you can not ping host in other VLANs. In fact, you most probably can - but the responses don't make it back through the VACL.
I suggest correcting the ACL as follows:
ip access-list extended VLAN60-Allow
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit udp any host 255.255.255.255 eq bootps
permit udp any eq bootps any eq bootpc
permit udp any any eq 1985
permit udp any eq 1985 any
Best regards,
Peter
12-20-2013 01:40 PM
Mohammad
Personally i think if you are filtering between vlans only then you apply the acl on the L3 vlan interface. It is more intuitive, i think, to anyone else looking at the configuration.
If however you want to filter traffic within a vlan then that is where VACL are useful. And if you need to do both ie. filter within the vlan and to and from the vlan i think again VACLs are the way to go.
Jon
12-20-2013 01:22 PM
Mohmmad
Are you doing this as a test to learn or in a production network ?
If it is production then just apply your acl to the L3 vlan interface and don't vlan access-lists ie.
int vlan 60
ip access-group VLAN60-Allow in
Jon
12-20-2013 01:37 PM
Thank you Jon I have done the way you suggested and that definitely works. But I'm trying to see what would be the benefit of using VLAN ACL on a L3 switch. Currently this is in a test environment but it will go in production.
12-20-2013 01:40 PM
Mohammad
Personally i think if you are filtering between vlans only then you apply the acl on the L3 vlan interface. It is more intuitive, i think, to anyone else looking at the configuration.
If however you want to filter traffic within a vlan then that is where VACL are useful. And if you need to do both ie. filter within the vlan and to and from the vlan i think again VACLs are the way to go.
Jon
12-20-2013 01:23 PM
Mohammad,
Keep in mind that your VACL is consulted both for traffic leaving VLAN60 as well as the return traffic entering back. Your ACL does not seem to take the return traffic into account - that would explain why you can not ping host in other VLANs. In fact, you most probably can - but the responses don't make it back through the VACL.
I suggest correcting the ACL as follows:
ip access-list extended VLAN60-Allow
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit udp any host 255.255.255.255 eq bootps
permit udp any eq bootps any eq bootpc
permit udp any any eq 1985
permit udp any eq 1985 any
Best regards,
Peter
12-20-2013 01:44 PM
Thank you Peter ok that makes sense. Here is what I am doing now and I think it is working as expected. Now just have to see should I use this or what Jon suggested in production what is the benefit of one over the other really.
ip access-list extended VLAN60-Allow
10 permit ip any 10.0.0.0 0.255.255.255
20 permit ip any 172.16.0.0 0.15.255.255
30 permit ip any 192.168.0.0 0.0.255.255
40 permit udp any host 255.255.255.255 eq bootps
50 permit udp any any eq 1985
!
ip access-list extended Block-Internet
10 permit ip any any
!
vlan access-map VLAN60 10
action forward
match ip address VLAN60-Allow
vlan access-map VLAN60 20
action drop
match ip address Block-Internet
!
vlan filter VLAN60 vlan-list 60
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: