Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restrict Access to VLAN

I am trying to restrict traffic into a vlan on a 3750. I only want to allow access from specific IP addresses and drop everything else. I setup the following ACL and vlan map configs on the 3750.

ip access-list extended QA_VLAN_ACL

permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any

vlan access-map QA_VLAN_MAP 10

action forward

match ip address QA_VLAN_ACL

vlan filter QA_VLAN_MAP vlan-list 325

However, it doesn't seem to work. If I have the action set to forward than everything gets through and nothing is dropped. If I set the action to drop everything is dropped. I am not sure what I am doing wrong. Any help that can be provided will be much appreciated. Thanks.

10 REPLIES
Hall of Fame Super Bronze

Re: Restrict Access to VLAN

Hi Ernest,

VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.

If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.

If there is no match clause for that type of packet, the default is to forward the packet.

Can you add deny ip any any at the end of the ACL and see if the behavior changes?

HTH,

__

Edison.

New Member

Re: Restrict Access to VLAN

I have deny tcp any any and

deny udp any any at the end of the ACL.

Hall of Fame Super Bronze

Re: Restrict Access to VLAN

Please post the whole config.

__

Edison.

New Member

Re: Restrict Access to VLAN

Here is the config from the 3750.

Hall of Fame Super Bronze

Re: Restrict Access to VLAN

Try this approach:

vlan access-map QA_VLAN_MAP 10

match ip address QA_VLAN_ACL

action forward

vlan access-map QA_VLAN_MAP 20

match ip address QA_VLAN_ACL_DROP

action drop

!

!

!

ip access-list extended QA_VLAN_ACL

permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any

ip access-list extended QA_VLAN_ACL_DROP

permit ip any any

HTH,

__

Edison.

New Member

Re: Restrict Access to VLAN

Thanks for the quick replies Edison. I will test these configs when I am onsite tomorrow. I will let you know what happens.

New Member

Re: Restrict Access to VLAN

I applied these configs. When I add the vlan filter QA_VLAN_MAP vlan-list 325 statement, I am able to connect to the gateway 10.3.25.1 from any host, but I am unable to connect to any hosts in vlan 325 from an ip that is permitted in the QA_VLAN_ACL.

Hall of Fame Super Bronze

Re: Restrict Access to VLAN

The ACL is affecting devices on Vlan 310 (Subnet 10.3.10.x) therefore the vlan-list should be applied to 310 not 325.

__

Edison.

New Member

Re: Restrict Access to VLAN

If I apply this to vlan 310, will traffic from other vlans be blocked? That is what I am trying to achieve.

New Member

Re: Restrict Access to VLAN

I am having the same problem, I am using a 3560 and whenever I try to drop a subnet everything is dropped.

548
Views
0
Helpful
10
Replies