cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
743
Views
0
Helpful
4
Replies

vacl configuration doesn't drop traffic.

bruce.porter
Level 1
Level 1

I have two 6513 routers running IOS ver 12.2(18)SXD5. There are two lab environments connected via hsrp to these two machines. I need to seperate these two environments. They consist of vlans with hsrp on these two routers and subnets on other routers connected to these two routers.

The vacls below should permit the subnets associated with the vlans in one of these environments (SIT), and the other routed subnets in that environment, to talk to each other; but not the other environment. I aplied it last night and it didn't drop any external subnets. Any ideas?

vlan access-map SIT_ISOLATION_map 10

match ip address SIT_Isolation_in

action forward

vlan access-map SIT_ISOLATION_map 20

match ip address SIT_Isolation_out

action forward

vlan access-map SIT_ISOLATION_map 30

match ip address ip_any_any

action drop

!

exit

vlan filter SIT_ISOLATION_map vlan-list 510-512,515

ip access-list extended SIT_Isolation_in

remark *********************************

remark *** permit only SIT and CTPS subnets to talk to SIT

!

remark *EIGRP

permit eigrp any any

!

remark *metricsvr vlan 515

permit ip x.x.202.0 0.0.0.255 any

!

remark *FA servers vlan 510

permit ip x.x.116.0 0.0.0.255 any

!

remark *ASW servers and WSs vlan 511

permit ip x.x.117.0 0.0.0.255 any

!

remark *FA WSs vlan 512

permit ip x.x.118.0 0.0.0.255 any

!

remark *Routed link between Unclass_2 and FO 4506

permit ip x.x.112.172 0.0.0.3 any

!

remark *FO hosts vlan 550

permit ip x.x.122.0 0.0.0.255 any

!

remark *Link between Unclass_1 and Unclass_2 routers

permit ip x.x.112.16 0.0.0.3 any

!

remark *Routed link between Unclass_1 and CTPS bswitch

permit ip y.y.66.184 0.0.0.7 any

!

remark *CTPS hosts

permit ip y.y.82.128 0.0.0.63 any

!

deny ip any any

remark

remark

remark

exit

ip access-list extended SIT_Isolation_out

remark **********************************

remark *** permit only SIT and CTPS subnets to talk to SIT

!

remark *EIGRP

permit eigrp any any

!

remark *metricsvr vlan 515

permit ip any x.x.202.0 0.0.0.255

!

remark *FA servers vlan 510

permit ip any x.x.116.0 0.0.0.255

!

remark *ASW servers and WSs vlan 511

permit ip any x.x.117.0 0.0.0.255

!

remark *FA WSs vlan 512

permit ip any x.x.118.0 0.0.0.255

!

remark *Routed link between Unclass_2 and FO 4506

permit ip any x.x.112.172 0.0.0.3

!

remark *FO hosts vlan 550

permit ip any x.x.122.0 0.0.0.255

!

remark *Link between Unclass_1 and Unclass_2 routers

permit ip any x.x.112.16 0.0.0.3

!

remark *Routed link between Unclass_1 and CTPS bswitch

permit ip any y.y.66.184 0.0.0.7

!

remark *CTPS hosts

permit ip any y.y.82.128 0.0.0.63

!

deny ip any any

remark

remark

remark

exit

ip access-list extended ip_any_any

remark All IP addresses - use in ACL map drop statement

permit ip any any

deny ip any any

remark

1 Accepted Solution

Accepted Solutions

bhedlund
Level 4
Level 4

True, logging forwarded traffic is not an option.

However, you can capture forwarded traffic with 'action forward capture'.

Set up an available port on the switch as a capture port, connect a sniffer to it, and you will see all the packets matching your first two sequences.

This will show you one of two things:

1) The VACL is not working at all, ie. not forwarding or dropping anything. This will be evident if your sniffer does not see any traffic.

2) The traffic you want to drop is actually being forwarded by the VACL.

Although it doesnt show the solution it does give you greater insight into the problem.

View solution in original post

4 Replies 4

bhedlund
Level 4
Level 4

Have you tried VACL logging??

Thanks for the FB. I looked at the description of vacl logging but it only logged dropped packets and I never dropped any. I also looked at debugs but they only seemed to show when you modified a vacl. This is the link I got when I put in a TAC. It is a pretty good description although it doesn't give an example showing a filter being applied to a range of vlans.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a7e.html

Hopefully the Cisco TAC engineer will be replying to this thread.

bhedlund
Level 4
Level 4

True, logging forwarded traffic is not an option.

However, you can capture forwarded traffic with 'action forward capture'.

Set up an available port on the switch as a capture port, connect a sniffer to it, and you will see all the packets matching your first two sequences.

This will show you one of two things:

1) The VACL is not working at all, ie. not forwarding or dropping anything. This will be evident if your sniffer does not see any traffic.

2) The traffic you want to drop is actually being forwarded by the VACL.

Although it doesnt show the solution it does give you greater insight into the problem.

Thanks for responding to this problem, even though it was difficult to describe.

I took your advice and captured the forwarded traffic, after I had repaired some problems with HSRP and trunking. I was astonded to see traffic forwarded that I thought shouldn't.

There was a configuration error that I fixed by making all the vlans in the isolated network talk only between themselves as shown below. Thanks again...

vlan access-map SIT_ISOLATION_map 10

match ip address SIT_Isolation_in

action forward

vlan access-map SIT_ISOLATION_map 20

match ip address SIT_Isolation_out

action forward

vlan access-map SIT_ISOLATION_map 30

match ip address ip_any_any

action drop

!

exit

vlan filter SIT_ISOLATION_map vlan-list 510-512,515

ip access-list extended SIT_Isolation_in

remark *********************************

remark *** permit only SIT and CTPS subnets to talk to SIT

!

remark **Let any vlans into and out of the NTP server

permit udp X.X.0.0 0.0.255.255 host X.X.122.20 eq ntp

permit udp Y.Y.0.0 0.0.255.255 host X.X.122.20 eq ntp

permit ip host X.X.122.20 any

!

remark **Let HSRP and other multicasts work - both directions for any vlans

permit ip X.X.0.0 0.0.255.255 224.0.0.0 0.255.255.255

permit ip Y.Y.0.0 0.0.255.255 224.0.0.0 0.255.255.255

permit ip 224.0.0.0 0.255.255.255 any

!

remark *metricsvr vlan 515

permit ip X.X.202.0 0.0.0.255 X.X.202.0 0.0.0.255

permit ip X.X.202.0 0.0.0.255 X.X.116.0 0.0.0.255

permit ip X.X.202.0 0.0.0.255 X.X.117.0 0.0.0.255

permit ip X.X.202.0 0.0.0.255 X.X.118.0 0.0.0.255

permit ip X.X.202.0 0.0.0.255 X.X.112.172 0.0.0.3

permit ip X.X.202.0 0.0.0.255 X.X.122.0 0.0.0.255

permit ip X.X.202.0 0.0.0.255 X.X.112.16 0.0.0.3

permit ip X.X.202.0 0.0.0.255 Y.Y.66.184 0.0.0.7

permit ip X.X.202.0 0.0.0.255 Y.Y.82.128 0.0.0.63

!

etc...