Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
2
Replies

Vlan ACLs Not Working

anthony.knoll
Level 1
Level 1

‎09-27-2005 08:15 PM - edited ‎03-03-2019 12:11 AM

Hey All,

I am upgrading our entire network with new Cisco switches (upgrading from old Enterasys boxes) and currently have all my new switches in my lab for testing. I am just about complete but I am having an issue protecting my management vlan using acls and vacls on my new core switch (Cisco 6509).

I am using vlan 5 as my management vlan, using an interface of 10.5.x.x. I am attempting to use an acl or vacl to block all access to this vlan from any host other then other 10.5.x.x machines or my network team’s address in the 10.202.69.x range. I have tried a regular acl on the vlan interface but that only blocked routed traffic and would let switched traffic in. So I moved on to vacls. My issue is that even while using a vacl, traffic from other vlans being switched and or sometimes being routed is still being allowed to hit that management interface. I think my problem is that I must not understand vacls very well. I am including the pertinent config below. Any help or ideas would be great.

---start config---

vlan access-map Vlan_5_ACL 10

match ip address 5

action forward

vlan filter Vlan_5_ACL vlan-list 5

int gi3/1

description – port for system that can still ping vlan 5 interface from a 10.6.1.5 address

switchport

switchport mode access

switchport vlan 6

int vlan 5

description interface for management vlan

ip address 10.5.1.1 255.255.0.0

no shutdown

int vlan 6

description default gateway for vlan 6

ip address 10.6.1.1 255.255.0.0

no shutdown

access-list 5 permit 10.5.0.0 0.0.255.255

access-list 5 permit 10.202.69.0 0.255.255.255

---end config---

Now from what I understand this vacl should be applied to all traffic entering the vlan via switching, and then to traffic entering via routing. Also, I only have an access-map for allowing the specified traffic since there is supposed to be an applied deny after all vacls. So, my understanding is that all traffic router or switch should be prevented from hitting the vlan 5 interface, yet systems attached directly to the switch containing the interface, and outside the allowed ip range, can still connect to the forbidden interface.

If anyone can help, I would greatly appreciate it. If there is more information I can provide, please let me know.

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎09-28-2005 12:18 AM

Hello Anthony,

the logic of a VACL is that traffic that is not explicitly being enied, is not affected by the VACL. Therefore, you need another statement denying all other traffic. So, your VACL should look oike this:

vlan access-map Vlan_5_ACL 10

match ip address 5

action forward

!

vlan access-map Vlan_5_ACL 20

action drop

!

vlan filter Vlan_5_ACL vlan-list 5

Can you try and see if that works for you ?

Regards,

GP

0 Helpful

anthony.knoll
Level 1
Level 1
In response to Georg Pauwen

‎09-28-2005 05:59 AM

GP – Thanks for the quick reply, however this does not seem to be resolving the issue. Also, just on a note about your solution, here is an excerpt directly from the Cisco documentation

From: Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Relase 12.2SX – Chapter 36 – Configuring VLAN ACLS:

“If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.”

An an example was:

Router# show ip access-lists net_10

Extended IP access list net_10

permit ip 10.0.0.0 0.255.255.255 any

Router# show ip access-lists any_host

Standard IP access list any_host

permit any

This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter thor vlan-list 12-16

So, you can see by this, according to Cisco, I should not need the additional access-map establishing a drop policy because it is supposed to be there by default. However, I did try adding one, but it did not change the results.

Now, something else weird on this subject, I tried changing my access list to an extend version, just to be more specific. I change it to this.

access-list 103 permit tcp 10.5.0.0 0.0.255.255 any

access-list 103 permit udp 10.5.0.0 0.0.255.255 any

with this applied via my access-map of

vlan access-map Vlan_5_ACL 10

match ip address 5

action forward

exit

vlan filter Vlan_5_ACL vlan-list 5

I can no longer get to the 10.5.1.1 interface from other switches connected to the 6509, or their subscribers, but I can still get their from users hanging directly off the 6509. I should be able to get their from other switches, because they are in the 10.5.x.x range, but can… and I should not be able to get their from the user on the 6509 because he is in a completely different subnet and vlan.

This makes no sense what so ever.

0 Helpful
Customers Also Viewed These Support Documents