Solved: VLAN ACL ISSUE IN CATALYST 4510 SWITCH

sashimoy11 · ‎09-14-2011

Dear All,

I want to filter traffic (tcp,ip,icmp etc) from one vlan segment to another vlan segment for particular ip address to ip address.

I have done the following configuration, but I am not able to ping none of the ip address of valn 4 from other vlan.

access-list 102 deny ip host x.x.126.19 host x.x.124.11

access-list 102 permit ip any any

vlan access-map test1 10

action drop

match ip address 102

vlan access-map test1 20

action forward

match ip address 102

vlan filter test1 vlan-list 4

interface Vlan2

description ## SECURE DMZ ##

ip address x.x.126.1 255.255.255.0

no ip proxy-arp

ntp disable

standby 2 ip x.x.126.3

standby 2 priority 110

standby 2 preempt

!

interface Vlan3

description ## NOC DMZ ##

ip address x.x.127.1 255.255.255.0

no ip proxy-arp

ntp disable

standby 3 ip x.x.127.4

standby 3 priority 110

standby 3 preempt

!

interface Vlan4

description ## WEB DMZ ##

ip address x.x.124.1 255.255.255.0

no ip proxy-arp

ntp disable

standby 4 ip x.x.124.9

standby 4 priority 110

standby 4 preempt

Pls help in this regard.

Regards,

Sashi

ameya_oke · ‎09-19-2011

Hi ,

PLease do the following changes.

vlan filter test1 vlan-list 2 and not "4" as the source of packet if VLAN 2.

Also PLease change the access-list 102 as below.

access-list 102 permit ip host 10.179.126.19 host 10.179.124.11 and not deny.

Route map behaviour is that of an Ex-OR gate in digital circuits.

In your Access-map what you are doing is your are denying the communication using "deny" statement in ACL102 and in class map your action drop is negating the "deny" clause in ACL 102.

Configuration:

1) ACL 102:

access-list 102 permit ip host 10.179.126.19 host 10.179.124.11

2) Access-map:

vlan access-map test1 10

action drop

match ip address 102

vlan access-map test1 20

action forward

3) vlan filter test1 vlan-list 2

Please rate if helps.

Ameya

View solution in original post

sashimoy11 · ‎09-19-2011

Can any body help me out in this regard pls

ameya_oke · ‎09-19-2011

Hi ,

Your Vlan access-map is faulty.

Reason:

vlan access-map test1 10

action drop

match ip address 102 :What this means is drop anything in 102.

Solution: Step1

Modify 102:

access-list 102 deny ip host x.x.126.19 host x.x.124.11

access-list 102 permit ip any any(remove this keep only statement 1)

Step2:

Modify access-map:

vlan access-map test1 10

action drop

match ip address 102

vlan access-map test1 20

action forward

Please rate if helpful.

Ameya

sashimoy11 · ‎09-19-2011

Dear Ameya,

Thanks a lot for replying me. I have done the same configuration as per your suggestion but still same issue.

Below are the changes made in the switch:

access-list 102 deny ip host 10.179.126.19 host 10.179.124.11

vlan access-map test1 10

action drop

match ip address 102

vlan access-map test1 20

action forward

Kindly let me know if anything need to add or modify.

Note: This filter is between two VLANS.

VLAN 2 :ip address x.x.126.1 255.255.255.0

VLAN 4 :ip address x.x.124.1 255.255.255.0

Regards,

Sashi

ameya_oke · ‎09-19-2011

Hi ,

PLease do the following changes.

vlan filter test1 vlan-list 2 and not "4" as the source of packet if VLAN 2.

Also PLease change the access-list 102 as below.

access-list 102 permit ip host 10.179.126.19 host 10.179.124.11 and not deny.

Route map behaviour is that of an Ex-OR gate in digital circuits.

In your Access-map what you are doing is your are denying the communication using "deny" statement in ACL102 and in class map your action drop is negating the "deny" clause in ACL 102.

Configuration:

1) ACL 102:

access-list 102 permit ip host 10.179.126.19 host 10.179.124.11

2) Access-map:

vlan access-map test1 10

action drop

match ip address 102

vlan access-map test1 20

action forward

3) vlan filter test1 vlan-list 2

Please rate if helps.

Ameya

sashimoy11 · ‎09-20-2011

Dear Ameya,

I have made changes accordingly as per your suggestion, Now Its working.

Thannks a lotz................

Regards

Sashi