09-27-2005 08:15 PM - edited 03-03-2019 12:11 AM
Hey All,
I am upgrading our entire network with new Cisco switches (upgrading from old Enterasys boxes) and currently have all my new switches in my lab for testing. I am just about complete but I am having an issue protecting my management vlan using acls and vacls on my new core switch (Cisco 6509).
I am using vlan 5 as my management vlan, using an interface of 10.5.x.x. I am attempting to use an acl or vacl to block all access to this vlan from any host other then other 10.5.x.x machines or my network teams address in the 10.202.69.x range. I have tried a regular acl on the vlan interface but that only blocked routed traffic and would let switched traffic in. So I moved on to vacls. My issue is that even while using a vacl, traffic from other vlans being switched and or sometimes being routed is still being allowed to hit that management interface. I think my problem is that I must not understand vacls very well. I am including the pertinent config below. Any help or ideas would be great.
---start config---
vlan access-map Vlan_5_ACL 10
match ip address 5
action forward
vlan filter Vlan_5_ACL vlan-list 5
int gi3/1
description port for system that can still ping vlan 5 interface from a 10.6.1.5 address
switchport
switchport mode access
switchport vlan 6
int vlan 5
description interface for management vlan
ip address 10.5.1.1 255.255.0.0
no shutdown
int vlan 6
description default gateway for vlan 6
ip address 10.6.1.1 255.255.0.0
no shutdown
access-list 5 permit 10.5.0.0 0.0.255.255
access-list 5 permit 10.202.69.0 0.255.255.255
---end config---
Now from what I understand this vacl should be applied to all traffic entering the vlan via switching, and then to traffic entering via routing. Also, I only have an access-map for allowing the specified traffic since there is supposed to be an applied deny after all vacls. So, my understanding is that all traffic router or switch should be prevented from hitting the vlan 5 interface, yet systems attached directly to the switch containing the interface, and outside the allowed ip range, can still connect to the forbidden interface.
If anyone can help, I would greatly appreciate it. If there is more information I can provide, please let me know.
09-28-2005 12:18 AM
Hello Anthony,
the logic of a VACL is that traffic that is not explicitly being enied, is not affected by the VACL. Therefore, you need another statement denying all other traffic. So, your VACL should look oike this:
vlan access-map Vlan_5_ACL 10
match ip address 5
action forward
!
vlan access-map Vlan_5_ACL 20
action drop
!
vlan filter Vlan_5_ACL vlan-list 5
Can you try and see if that works for you ?
Regards,
GP
09-28-2005 05:59 AM
GP Thanks for the quick reply, however this does not seem to be resolving the issue. Also, just on a note about your solution, here is an excerpt directly from the Cisco documentation
From: Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Relase 12.2SX Chapter 36 Configuring VLAN ACLS:
If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
An an example was:
Router# show ip access-lists net_10
Extended IP access list net_10
permit ip 10.0.0.0 0.255.255.255 any
Router# show ip access-lists any_host
Standard IP access list any_host
permit any
This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.
Router(config)# vlan access-map thor 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)# vlan filter thor vlan-list 12-16
So, you can see by this, according to Cisco, I should not need the additional access-map establishing a drop policy because it is supposed to be there by default. However, I did try adding one, but it did not change the results.
Now, something else weird on this subject, I tried changing my access list to an extend version, just to be more specific. I change it to this.
access-list 103 permit tcp 10.5.0.0 0.0.255.255 any
access-list 103 permit udp 10.5.0.0 0.0.255.255 any
with this applied via my access-map of
vlan access-map Vlan_5_ACL 10
match ip address 5
action forward
exit
vlan filter Vlan_5_ACL vlan-list 5
I can no longer get to the 10.5.1.1 interface from other switches connected to the 6509, or their subscribers, but I can still get their from users hanging directly off the 6509. I should be able to get their from other switches, because they are in the 10.5.x.x range, but can and I should not be able to get their from the user on the 6509 because he is in a completely different subnet and vlan.
This makes no sense what so ever.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide