Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1653
Views
0
Helpful
5
Replies

Question about VACl - catalyst 3650

Simon Roberts
Level 1
Level 1

‎12-15-2017 04:51 AM - edited ‎03-08-2019 01:07 PM

Hoping someone can help out with this.  I've been asked to create a VACL and apply it on a catalyst 3650 switch port serving a PDQ device.  Objectives of VACL are to prevent network traffic to other devices on the same vlan/network but allow traffic to the local DHCP, DNS and external endpoint. 

Find below what I've come up with so.  PDQ's are on the 10.10.67.0/24 network and gateway address is 10.10.67.254.  DNS server is shown as xxx.xxx.xx.xxx . External end IP as been shown in below as 'any' as I'm still waiting for this information.

The below works on a my test setup but when it is deployed to a production PDQ I've received some reports of the PDQ loosing connection to the network.  A reset of the PDQ gets the device back working again.

suggestion , guidance on next steps welcome

thanks, Simon

 

 

vlan access-map BLOCKPED 10 

action forward 

match ip address 100 

 

vlan filter BLOCKPED vlan-list xxx

 

10 permit ip host 10.10.67.254 10.10.67.0 0.0.0.255

20 permit ip 10.10.67.0 0.0.0.255 host 10.10.67.254

30 permit udp any any eq bootps

40 permit udp any any eq bootpc

50 permit udp 10.10.67.0 0.0.0.255 xxx.xxx.xx.xxx 0.0.0.1 eq domain

55 permit udp xxx.xxx.xx.xx0.0.0.1 10.10.67.0 0.0.0.255 eq domain

60 permit tcp 10.10.67.0 0.0.0.255 xxx.xxx.xx.xx0.0.0.1 eq domain

65 permit tcp xxx.xxx.xx.xx 0.0.0.1 10.10.67.0 0.0.0.255 eq domain

70 permit udp any any eq ntp

80 permit ip any 10.10.67.0 0.0.0.255

90 permit ip 10.10.67.0 0.0.0.255 any

Labels:
0 Helpful
5 Replies 5

Julio E. Moisa
VIP
VIP

‎12-15-2017 07:06 AM

Hi,

are you using HSRP for the VLAN 10?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Simon Roberts
Level 1
Level 1
In response to Julio E. Moisa

‎12-15-2017 07:24 AM

No, I wasn't planning to

0 Helpful

Aaron Harrison
VIP Alumni
VIP Alumni

‎12-20-2017 11:13 AM

Hi Simon

 
I’m OK ta, hope you are good?
 
Re: the VACL thing, not had cause to use them really… however what I’d say is that you have these two lines at the end:
 
80 permit ip any 10.10.67.0 0.0.0.255
90 permit ip 10.10.67.0 0.0.0.255 any
 
… which essentially allow anything… so if something is being blocked it must be something fairly odd, e.g. something source from an IP other than 10.10.67.x, which seems unlikely...
 
So I’d think two things first:
 
- Does it work without a VACL at all? E.g. is this a new PDQ, and does it work reliably without any VACL? You might be chasing your tail if this has not been verified.
 
- I would set up a final permit any any entry in the VACL, and get it to log… With a normal IP ACL  you just pop ‘log’ on the end, there may be more steps required for a VACL
 
 
In theory you should see some log entries that will clue you in shortly before it dies…
 
Regards
 
Aaron
Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Simon Roberts
Level 1
Level 1
In response to Aaron Harrison

‎12-23-2017 03:56 AM

thanks Aaron for you help here.

I've proceeded to apply new vlan to a PDQ without an access list and for another , I've simplified the access list considerably.  I'm also using port mirroring / WireShark to monitor network traffic to PDQ with access list.  Hopefully this will highlight what traffic is being blocked.

 

In the article that you sent through I found that :

Logging is not supported for VLAN maps.

- I also found the below text in the article that prompted a re-think of the access lists 

"Avoid including Layer 4 information in an ACL; adding this information complicates the merging process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports). It is also helpful to use don’t care bits in the IP address, whenever possible"

 

I'll provide an update in the New Year

 

Simon

0 Helpful

paul driver
VIP
VIP

‎12-23-2017 04:17 AM - edited ‎12-23-2017 04:23 AM

Hello

 

@Simon Roberts wrote:

Hoping someone can help out with this.  I've been asked to create a VACL and apply it on a catalyst 3650 switch port serving a PDQ device.  Objectives of VACL are to prevent network traffic to other devices on the same vlan/network but allow traffic to the local DHCP, DNS and external endpoint. 


The simplistic solution would be make each port a protected port but dont apply it to any local DHCP, DNS server ports.

 

This will negate communication between each protected port in the same vlan and allow communication to any unprotected port.

 

int x/x

switchport protected.

 

res
Paul

 

 

 

 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card