Solved: VACL scenario

sarahr202 · ‎07-21-2012

Hi everybody.

How is everyone doing?

h1----------sw1-----trunk-----sw2----h2

h1----199.199.199.1/24

h2----199.199.199.2/24

Both h1 and h2 are same vlan2.

We want to stop h1from reaching h2 using vacl.

We configure sw1 as:

Sw1(config)# ip access-list extended local-17

permit ip host 199.199.199.1 host 199.199.199.2

switch(config)# vlan access-map block-17 10

match ip address local-17

action drop

Switch(config)# vlan filter block-17 vlan-list 2

======================================

Will the above config on sw1 prevent h1 from reaching h2 considering the fact h1 and h2 are located on different switches?

thanks and have a great weekend.

Reza Sharifi · ‎07-21-2012

Hi Sarah,

In this case you can apply the mac access list and apply it to sw1.

here is an example:

mac access-list extended test

deny host 1102.8765.0ab0 host 1102.8765.1234

vlan access-map test 10

action drop

match mac address test

vlan access-map test 50

In this case we are using vlan 50.

HTH

View solution in original post

Reza Sharifi · ‎07-23-2012

Hi Sarah,

VACL can be base on source/destination IP or MAC address. In this case, you can apply the vlan on switch 2 and deny traffic coming from h1 to h2 or vise versa.

Here is good doc on VCAL with explanation and example showing how you deny traffic within the same vlan.

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/

HTH

Reza

View solution in original post

Reza Sharifi · ‎07-21-2012

Hi Sarah,

According to the config guide you would need to apply it to the switch that has an SVI configured (layer-3).

VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.

Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an

administratively down Layer 3 VLAN interface to support the VLAN access map.

Here is the link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/vlan_acls.pdf

HTH

sarahr202 · ‎07-21-2012

Thanks Reza .

VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.

Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an

administratively down Layer 3 VLAN interface to support the VLAN access map.

It means we can only use vacl on multilayer switch with svi configured for the vlan.

h1------sw2--trunk------sw3--------h2

If sw3 is layer 3 switch and has int vlan 2 in " up and Up" status,, only then we can configure vacl and that has to be on the switch configured with layer 3 svi for the vlan.

But if above is true, then consider the following case:

h1----------------sw1--------trunk-------sw3(multilayer swtch)------Rest of the network

|

h2

Sw1 is layer 2 switch, h1 and h2 are in vlan 2, Sw3 is configured with int vlan 2.

According to the link we must configure vacl on sw3 because that is the switch with active svi for vlan 2.

Now if we want to restrict traffic from h1 to h2, we will not be able to it. My understanding is since vacl is configured on sw3 therefore sw2 has no idea that traffic from h1 needs to be dropped. Consequently, Sw2 simply forwards the frame from h1 to h2. VACl is completely by passed.

I appreciate your help and as always your impressive input.

thanks and have a great weekend.

Reza Sharifi · ‎07-21-2012

Hi Sarah,

In this case you can apply the mac access list and apply it to sw1.

here is an example:

mac access-list extended test

deny host 1102.8765.0ab0 host 1102.8765.1234

vlan access-map test 10

action drop

match mac address test

vlan access-map test 50

In this case we are using vlan 50.

HTH

sarahr202 · ‎07-21-2012

Thanks Reza

However i just want to confirm my understanding based on your link and discussion.

VACl should be configured on the multilayer switch which has corresponding svi for the vlan in up and up status.

thanks and have a great weekend.

sarahr202 · ‎07-23-2012

Hi Reza.

Does VACl requires that source and destination be connected to same switch on which vacl is configured ?

for example:

h1--acess link --sw1---trunk-----SW2(multilayer switch)----trunk--------------Sw3---access link --h2

we want to stop traffic from h1 to h2, using vacl.

We comfigure the vacl on sw2 which has svi in up and up status.

But the destination is h2 is not connected to sw2. Can we still configure vacl to stop traffic from h1 and h2 considering h2 is not directly connected to sw2.?

thanks and have a nice week.

Reza Sharifi · ‎07-23-2012

Hi Sarah,

VACL can be base on source/destination IP or MAC address. In this case, you can apply the vlan on switch 2 and deny traffic coming from h1 to h2 or vise versa.

Here is good doc on VCAL with explanation and example showing how you deny traffic within the same vlan.

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/

HTH

Reza

sarahr202 · ‎07-23-2012


thanks Reza

Few questions about the order of execution of match  and action statements within a vlan access map.
Is the statement match always executed first before action in vlan access map? for e.g In the forwarded link I was reading. I noticed the following order:


SW2(config-ext-nacl)#vlan access-map VACL_STOPTELNET
SW2(config-access-map)#action drop
 SW2(config-access-map)#match ip address ACL_TELNETR1_R2


Above " action" statement precedes " match" statement but yet "match" statement is executed first. I want to confirm if this is the case.



2nd thing I noticed, if action statement is listed only, it will be executed i.e  an action statement does not require that a match statement be present
Below is the config from the article you forwarded. Here(Below) only action statement is listed without any match statement.
I just want to confirm that.

 SW2(config-access-map)#vlan access-map VACL_STOPTELNETSW2(config-access-map)#action forward
SW2(config-access-map)#exit

thanks and have a nice week.