cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

655
Views
0
Helpful
5
Replies
Beginner

Question about VACl - catalyst 3650

Hoping someone can help out with this.  I've been asked to create a VACL and apply it on a catalyst 3650 switch port serving a PDQ device.  Objectives of VACL are to prevent network traffic to other devices on the same vlan/network but allow traffic to the local DHCP, DNS and external endpoint. 

Find below what I've come up with so.  PDQ's are on the 10.10.67.0/24 network and gateway address is 10.10.67.254.  DNS server is shown as xxx.xxx.xx.xxx . External end IP as been shown in below as 'any' as I'm still waiting for this information.

The below works on a my test setup but when it is deployed to a production PDQ I've received some reports of the PDQ loosing connection to the network.  A reset of the PDQ gets the device back working again.

suggestion , guidance on next steps welcome

thanks, Simon

 

 

vlan access-map BLOCKPED 10 

action forward 

match ip address 100 

 

vlan filter BLOCKPED vlan-list xxx

 

10 permit ip host 10.10.67.254 10.10.67.0 0.0.0.255

20 permit ip 10.10.67.0 0.0.0.255 host 10.10.67.254

30 permit udp any any eq bootps

40 permit udp any any eq bootpc

50 permit udp 10.10.67.0 0.0.0.255 xxx.xxx.xx.xxx 0.0.0.1 eq domain

55 permit udp xxx.xxx.xx.xx0.0.0.1 10.10.67.0 0.0.0.255 eq domain

60 permit tcp 10.10.67.0 0.0.0.255 xxx.xxx.xx.xx0.0.0.1 eq domain

65 permit tcp xxx.xxx.xx.xx 0.0.0.1 10.10.67.0 0.0.0.255 eq domain

70 permit udp any any eq ntp

80 permit ip any 10.10.67.0 0.0.0.255

90 permit ip 10.10.67.0 0.0.0.255 any

5 REPLIES 5
VIP Advisor

Re: Question about VACl - catalyst 3650

Hi,

are you using HSRP for the VLAN 10?

Highlighted
Beginner

Re: Question about VACl - catalyst 3650

No, I wasn't planning to

Re: Question about VACl - catalyst 3650

Hi Simon

 
I’m OK ta, hope you are good?
 
Re: the VACL thing, not had cause to use them really… however what I’d say is that you have these two lines at the end:
 
80 permit ip any 10.10.67.0 0.0.0.255
90 permit ip 10.10.67.0 0.0.0.255 any
 
… which essentially allow anything… so if something is being blocked it must be something fairly odd, e.g. something source from an IP other than 10.10.67.x, which seems unlikely...
 
So I’d think two things first:
 
- Does it work without a VACL at all? E.g. is this a new PDQ, and does it work reliably without any VACL? You might be chasing your tail if this has not been verified.
 
- I would set up a final permit any any entry in the VACL, and get it to log… With a normal IP ACL  you just pop ‘log’ on the end, there may be more steps required for a VACL
 
 
In theory you should see some log entries that will clue you in shortly before it dies…
 
Regards
 
Aaron
Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
Beginner

Re: Question about VACl - catalyst 3650

thanks Aaron for you help here.

I've proceeded to apply new vlan to a PDQ without an access list and for another , I've simplified the access list considerably.  I'm also using port mirroring / WireShark to monitor network traffic to PDQ with access list.  Hopefully this will highlight what traffic is being blocked.

 

In the article that you sent through I found that :

Logging is not supported for VLAN maps.

- I also found the below text in the article that prompted a re-think of the access lists 

"Avoid including Layer 4 information in an ACL; adding this information complicates the merging process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports). It is also helpful to use don’t care bits in the IP address, whenever possible"

 

I'll provide an update in the New Year

 

Simon

VIP Advisor

Re: Question about VACl - catalyst 3650

Hello

 


@Simon Roberts wrote:

Hoping someone can help out with this.  I've been asked to create a VACL and apply it on a catalyst 3650 switch port serving a PDQ device.  Objectives of VACL are to prevent network traffic to other devices on the same vlan/network but allow traffic to the local DHCP, DNS and external endpoint. 



The simplistic solution would be make each port a protected port but dont apply it to any local DHCP, DNS server ports.

 

This will negate communication between each protected port in the same vlan and allow communication to any unprotected port.

 

int x/x

switchport protected.

 

res
Paul

 

 

 

 

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad