Re: Restrict Access to VLAN

edunn · ‎03-07-2008

I am trying to restrict traffic into a vlan on a 3750. I only want to allow access from specific IP addresses and drop everything else. I setup the following ACL and vlan map configs on the 3750.

ip access-list extended QA_VLAN_ACL

permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any

vlan access-map QA_VLAN_MAP 10

action forward

match ip address QA_VLAN_ACL

vlan filter QA_VLAN_MAP vlan-list 325

However, it doesn't seem to work. If I have the action set to forward than everything gets through and nothing is dropped. If I set the action to drop everything is dropped. I am not sure what I am doing wrong. Any help that can be provided will be much appreciated. Thanks.

Edison Ortiz · ‎03-08-2008

Hi Ernest,

VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.

If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.

If there is no match clause for that type of packet, the default is to forward the packet.

Can you add deny ip any any at the end of the ACL and see if the behavior changes?

HTH,

__

Edison.

edunn · ‎03-09-2008

I have deny tcp any any and

deny udp any any at the end of the ACL.

Edison Ortiz · ‎03-09-2008

Please post the whole config.

__

Edison.

edunn · ‎03-09-2008

Here is the config from the 3750.

Edison Ortiz · ‎03-09-2008

Try this approach:

vlan access-map QA_VLAN_MAP 10

match ip address QA_VLAN_ACL

action forward

vlan access-map QA_VLAN_MAP 20

match ip address QA_VLAN_ACL_DROP

action drop

!

ip access-list extended QA_VLAN_ACL

permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any

ip access-list extended QA_VLAN_ACL_DROP

permit ip any any

HTH,

__

Edison.

edunn · ‎03-09-2008

Thanks for the quick replies Edison. I will test these configs when I am onsite tomorrow. I will let you know what happens.

edunn · ‎03-09-2008

I applied these configs. When I add the vlan filter QA_VLAN_MAP vlan-list 325 statement, I am able to connect to the gateway 10.3.25.1 from any host, but I am unable to connect to any hosts in vlan 325 from an ip that is permitted in the QA_VLAN_ACL.

Edison Ortiz · ‎03-11-2008

The ACL is affecting devices on Vlan 310 (Subnet 10.3.10.x) therefore the vlan-list should be applied to 310 not 325.

__

Edison.

edunn · ‎03-11-2008

If I apply this to vlan 310, will traffic from other vlans be blocked? That is what I am trying to achieve.

joshkurtz · ‎03-11-2008

I am having the same problem, I am using a 3560 and whenever I try to drop a subnet everything is dropped.