ā05-28-2021 11:44 AM
Pretty straight forward network design. One "core" 3750 switch with multiple vlans trunked to many other 2960G switches with their ports assigned to the vlans they need to be in.
* vlan99 has a private range of 10.0.0.1/24 assigned to it.
* All other vlans have private or public ranges assigned to them.
* Only allow traffic from 200.0.0.72/29 to access the devices in vlan99.
I need to deny all traffic destined to hosts within vlan99 unless I permit access. This includes blocking traffic from other hosts in different vlans. In this case I'm trying to allow traffic from 200.0.0.72/29.
It seams like a VACLis the solution to my problem but I've been unable to make them work as I would expect. Here's what I have...
# Core Switch
vlan access-map vlan99 10
action forward
match ip address 99
vlan access-map vlan99 20
action drop
!
vlan filter vlan99 vlan-list 99
!
access-list 99 permit 200.0.0.72 0.0.0.7
So far this seams to block all traffic, even from the range I think I allowed.
ā05-28-2021 12:16 PM
Is there a reason why you are using VACL rather than a regular extended access list applied with access-group. That seems to me to be more straight forward and would accomplish the filtering that you describe.
ā05-28-2021 12:23 PM
Hi Richard,
Are you meaning to assigning an ACL to the vlan99 like 'ip access-group 101 in'?
I did do that an although it did seam to filter traffic what I noticed was when doing a simple ping to one of the devices the response I received was filtered. I'd prefer the response to be the same as if they device was not connected.
ā05-28-2021 12:52 PM
Yes I am suggesting an extended access list applied with access-group. Whether it is applied in or out depends on how you configure the access list. Given the little that we know about your environment and given this statement of requirements "Only allow traffic from 200.0.0.72/29 to access the devices in vlan99." it seems to me to be preferable to assign it as out, but in could certainly work assigned as in. It might look something like this
access-list 101 permit ip 200.0.0.72 0.0.0.248 10.0.0.0 0.0.0.255
interface vlan 99
ip access-group 101 out
I am not clear what you are saying about ping and about filtering. Was the ping sourced from 200.0.0.72 subnet or sourced from somewhere else? Can you help me understand this better?
This also makes me think about another aspect of this discussion. Your requirement was a restriction on what addresses could access 10.0.0.0/24. Do you want 10.0.0.0/24 to be able to access other subnets? What I have suggested would not do that.
ā05-28-2021 01:10 PM
This is what I'm talking about when doing that. Maybe it's not that big of a deal but to me that response shows that a host does live their and I don't like that
# Config
interface Vlan99
ip address 10.0.0.1 255.255.255.0
ip access-group vlan99-out out
!
ip access-list extended vlan99-out
permit ip 200.0.0.72 0.0.0.7 any
deny ip any any log
!
# ping output using ping on a Linux machine, first reply is without the acl, second is the response after it's been applied.
64 bytes from 10.0.0.120: icmp_seq=1440 ttl=254 time=0.897 ms
From 200.0.0.171 icmp_seq=1441 Packet filtered
From 200.0.0.171 icmp_seq=1442 Packet filtered
ā05-28-2021 01:53 PM
Thanks for the additional information. What IP address is the source of this ping? What is 200.0.0.171? To deal with notifications try this
interface vlan 99
no ip unreachable
ā05-28-2021 02:49 PM
200.0.0.171 is the primary IP assigned to the vlan that the linux machine is pinging from.
Source of the ping is from a secondary IP range assigned to the same vlan that linux machine is pining from. The linux machine is getting it's ip from that secondary range.
no ip unreachable on vlan99 doesn't change anything.
ā05-28-2021 03:56 PM
Without more context the IP information is not as helpful as I had thought it might be. Surprised that no ip unreachable did not change anything. Perhaps needs to be applied on the interface which is used to reach 200.0.0.171 rather than on the vlan 99 interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide