VLAN filtering not working as expected

bill.morton · ‎02-04-2009

I am trying to kill off some NETBIOS traffic within a VLAN with a VLAN filter map so it dosn't keep filling up my logs when it fails against the inbound ACL on the VLAN interface but it is not working as I expect it to (and my other VLAN filter maps are).

I am working with VLAN 4, so I have:

interface Vlan4

description Console and Management Traffic

ip address 172.17.0.97 255.255.255.224

ip access-group Console_NetIn in

ip access-group Console_NetOut out

end

My IP Access-list:

Extended IP access list NetBiosMap

10 permit udp host 172.17.0.98 host 172.17.0.127 range 127 128

20 permit udp host 172.17.0.98 eq 127 any

30 permit udp host 172.17.0.98 eq 128 any

My Vlan Access-map:

vlan access-map Filter_VL4 10

action drop

match ip address NetBiosMap

vlan access-map Filter_VL4 20

action forward

Applied:

vlan filter Filter_VL4 vlan-list 4

Verify:

VLAN Map Filter_VL4 is filtering VLANs:

4

--------------- but -----------

I keep getting:

Feb 4 13:56:34: %SEC-6-IPACCESSLOGP: list Console_NetIn denied udp 172.17.0.98(138) -> 172.17.0.127(138), 1 packet

ARGH! Help?

Giuseppe Larosa · ‎02-04-2009

Hello Bill,

try tp write it in opposite order using an acl that denies the traffic you want to stop used in the first action forward block.

the first acl denies traffic and then permits all the other traffic with action forward

so you can use a single block

see

http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348')">http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348')">http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348')">http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348

Hope to help

Giuseppe

bill.morton · ‎02-04-2009

I think that that is what I have already done ... it is very similar to this: http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1082532

vlan access-map Filter_VL4 10

action drop

match ip address NetBiosMap

vlan access-map Filter_VL4 20

action forward

My first access-map statement matches the traffic I want to drop, the second access-map statement passes everything else.