12-15-2017 04:51 AM - edited 03-08-2019 01:07 PM
Hoping someone can help out with this. I've been asked to create a VACL and apply it on a catalyst 3650 switch port serving a PDQ device. Objectives of VACL are to prevent network traffic to other devices on the same vlan/network but allow traffic to the local DHCP, DNS and external endpoint.
Find below what I've come up with so. PDQ's are on the 10.10.67.0/24 network and gateway address is 10.10.67.254. DNS server is shown as xxx.xxx.xx.xxx . External end IP as been shown in below as 'any' as I'm still waiting for this information.
The below works on a my test setup but when it is deployed to a production PDQ I've received some reports of the PDQ loosing connection to the network. A reset of the PDQ gets the device back working again.
suggestion , guidance on next steps welcome
thanks, Simon
vlan access-map BLOCKPED 10
action forward
match ip address 100
vlan filter BLOCKPED vlan-list xxx
10 permit ip host 10.10.67.254 10.10.67.0 0.0.0.255
20 permit ip 10.10.67.0 0.0.0.255 host 10.10.67.254
30 permit udp any any eq bootps
40 permit udp any any eq bootpc
50 permit udp 10.10.67.0 0.0.0.255 xxx.xxx.xx.xxx 0.0.0.1 eq domain
55 permit udp xxx.xxx.xx.xx0.0.0.1 10.10.67.0 0.0.0.255 eq domain
60 permit tcp 10.10.67.0 0.0.0.255 xxx.xxx.xx.xx0.0.0.1 eq domain
65 permit tcp xxx.xxx.xx.xx 0.0.0.1 10.10.67.0 0.0.0.255 eq domain
70 permit udp any any eq ntp
80 permit ip any 10.10.67.0 0.0.0.255
90 permit ip 10.10.67.0 0.0.0.255 any
12-15-2017 07:06 AM
Hi,
are you using HSRP for the VLAN 10?
12-15-2017 07:24 AM
No, I wasn't planning to
12-20-2017 11:13 AM
Hi Simon
12-23-2017 03:56 AM
thanks Aaron for you help here.
I've proceeded to apply new vlan to a PDQ without an access list and for another , I've simplified the access list considerably. I'm also using port mirroring / WireShark to monitor network traffic to PDQ with access list. Hopefully this will highlight what traffic is being blocked.
In the article that you sent through I found that :
- Logging is not supported for VLAN maps.
- I also found the below text in the article that prompted a re-think of the access lists
"Avoid including Layer 4 information in an ACL; adding this information complicates the merging process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports). It is also helpful to use don’t care bits in the IP address, whenever possible"
I'll provide an update in the New Year
Simon
12-23-2017 04:17 AM - edited 12-23-2017 04:23 AM
Hello
@Simon Roberts wrote:
Hoping someone can help out with this. I've been asked to create a VACL and apply it on a catalyst 3650 switch port serving a PDQ device. Objectives of VACL are to prevent network traffic to other devices on the same vlan/network but allow traffic to the local DHCP, DNS and external endpoint.
The simplistic solution would be make each port a protected port but dont apply it to any local DHCP, DNS server ports.
This will negate communication between each protected port in the same vlan and allow communication to any unprotected port.
int x/x
switchport protected.
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide