cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1836
Views
0
Helpful
10
Replies

Restrict Access to VLAN

edunn
Level 1
Level 1

I am trying to restrict traffic into a vlan on a 3750. I only want to allow access from specific IP addresses and drop everything else. I setup the following ACL and vlan map configs on the 3750.

ip access-list extended QA_VLAN_ACL

permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any

vlan access-map QA_VLAN_MAP 10

action forward

match ip address QA_VLAN_ACL

vlan filter QA_VLAN_MAP vlan-list 325

However, it doesn't seem to work. If I have the action set to forward than everything gets through and nothing is dropped. If I set the action to drop everything is dropped. I am not sure what I am doing wrong. Any help that can be provided will be much appreciated. Thanks.

10 Replies 10

Edison Ortiz
Hall of Fame
Hall of Fame

Hi Ernest,

VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.

If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.

If there is no match clause for that type of packet, the default is to forward the packet.

Can you add deny ip any any at the end of the ACL and see if the behavior changes?

HTH,

__

Edison.

I have deny tcp any any and

deny udp any any at the end of the ACL.

Please post the whole config.

__

Edison.

Here is the config from the 3750.

Try this approach:

vlan access-map QA_VLAN_MAP 10

match ip address QA_VLAN_ACL

action forward

vlan access-map QA_VLAN_MAP 20

match ip address QA_VLAN_ACL_DROP

action drop

!

!

!

ip access-list extended QA_VLAN_ACL

permit ip host 10.3.10.77 any

permit tcp host 10.3.10.77 any

permit tcp host 10.3.10.35 any

permit tcp host 10.3.10.36 any

permit tcp host 10.3.10.37 any

permit tcp host 10.3.10.38 any

permit tcp host 10.3.10.39 any

permit tcp host 10.3.10.40 any

permit tcp host 10.3.10.41 any

permit tcp host 10.3.10.42 any

permit tcp host 10.3.10.43 any

permit tcp host 10.3.10.44 any

permit udp host 10.3.10.35 any

permit udp host 10.3.10.36 any

permit udp host 10.3.10.37 any

permit udp host 10.3.10.38 any

permit udp host 10.3.10.39 any

permit udp host 10.3.10.40 any

permit udp host 10.3.10.41 any

permit udp host 10.3.10.42 any

permit udp host 10.3.10.43 any

permit udp host 10.3.10.44 any

permit udp host 10.3.10.77 any

ip access-list extended QA_VLAN_ACL_DROP

permit ip any any

HTH,

__

Edison.

Thanks for the quick replies Edison. I will test these configs when I am onsite tomorrow. I will let you know what happens.

I applied these configs. When I add the vlan filter QA_VLAN_MAP vlan-list 325 statement, I am able to connect to the gateway 10.3.25.1 from any host, but I am unable to connect to any hosts in vlan 325 from an ip that is permitted in the QA_VLAN_ACL.

The ACL is affecting devices on Vlan 310 (Subnet 10.3.10.x) therefore the vlan-list should be applied to 310 not 325.

__

Edison.

If I apply this to vlan 310, will traffic from other vlans be blocked? That is what I am trying to achieve.

joshkurtz
Level 1
Level 1

I am having the same problem, I am using a 3560 and whenever I try to drop a subnet everything is dropped.