07-17-2009 05:48 AM - edited 03-06-2019 06:49 AM
Hi
Yesterday I put a vlan acl on a vlan that pretty much blocked everything except for a number of ports. When I put the access-list on, I saw on the acl logging that it was blocking pc's in the vlan from accessing multicast addresses that were only present within the same vlan i.e there was no need to for the pc's to leave the vlan.
I can't understand this I thought vlan acl's only kick in when crossing vlan boundary's, from the above it also seems that it controls behaviour within the vlan aswell.
Can someone please explain how that can be and what am I missing about vlan acl's?
Thanks
Dan
07-17-2009 08:06 AM
Hi Dan,
Your practical experience reflects how vlan acls work in practice.
The effect of vlan acls applies to the vlan (i.e. to all traffic within a vlan), not to the traffic on specific ports.
This is why you cannot configure the direction of vlan acls, like you used to do it for router acls (in or out).
Also, vlan acls are applied to vlans, not ports, during the configuration phase.
Cheers:
Istvan
07-17-2009 08:21 AM
Thanks for the info,
I've applied the acl's like this:
int vlan 10
ip access-group WAN-In in
ip access-group WAN-Out out
exit
The above doesn't fit in with your statement:
"This is why you cannot configure the direction of vlan acls, like you used to do it for router acls (in or out). "
If this is true what is the effect of me doing the above access-group statements?
Thanks
Dan
07-17-2009 08:30 AM
Dan
Could you post the acl. I think there is some confusion over what you mean by a vlan acl.
If you are using the access-group command to apply them then they are standard acls ie. they work at L3 and block traffic between vlans.
Istvan was talking about vlan maps that restrict traffic within the same vlan and these are not directional as he said.
Jon
07-17-2009 08:43 AM
Hi Dan,
As Jon also says, your configuration uses router acls applied to the vlan interface.
Here is some information for you about vlan acls:
Cheers:
Istvan
07-17-2009 08:52 AM
Hi Jon,
Looks like my lack of knowledge is impeding me again!
Here's my acl's:
sh access-lists WAN-In
Extended IP access list WAN-In
110 permit tcp any any eq 445
120 permit udp any any eq 445
130 permit udp any any eq snmp
140 permit udp any any eq snmptrap
150 permit tcp any any eq 389
160 permit udp any any eq 389
170 permit tcp any any eq 3268
180 permit udp any any eq 3268
190 permit tcp any any eq 3389
200 permit udp any any eq 3389
210 permit tcp any any eq 135
220 permit udp any any eq 135
230 permit udp any any eq netbios-ns
240 permit udp any any eq netbios-dgm
250 permit udp any any eq netbios-ss
260 deny ip any any log
sh access-lists WAN-Out
Extended IP access list WAN-Out
110 permit tcp any any eq 445
120 permit udp any any eq 445
130 permit udp any any eq snmp
140 permit udp any any eq snmptrap
150 permit tcp any any eq 389
160 permit udp any any eq 389
170 permit tcp any any eq 3268
180 permit udp any any eq 3268
190 permit tcp any any eq 3389
200 permit udp any any eq 3389
210 permit tcp any any eq 135
220 permit udp any any eq 135
230 permit udp any any eq netbios-ns
240 permit udp any any eq netbios-dgm
250 permit udp any any eq netbios-ss
260 deny ip any any log
Thanks Dan
07-17-2009 09:01 AM
Dan
What was the log message for the multicast traffic that was dropped ie. source/destination etc.
Jon
07-17-2009 09:43 AM
Here's the message:
Jul 16 16:43:08 CST: %SEC-6-IPACCESSLOGNP: list WAN-In denied 113 10.65.50.10 -> 239.255.3.20, 1 packet
Dan
07-17-2009 12:37 PM
Dan
Is that multicast address being used in your LAN ?
There is no reason why this couldn't hit the L3 vlan interface ie. nothing specifies that it has to be on the same vlan.
Jon
07-20-2009 04:13 AM
Hi Jon,
Yes that mutlicast address is only being used in the vlan that I have attached the acl to.
I'm not sure what you meant by your second sentence. Why would the access-list block the mutlicast address if the address only resides within the vlan only?
Thanks
Dan
07-20-2009 07:32 AM
Dan
Because the port that the router is connected to receives the multicast packet and so drops it because of the acl. Doesn't really matter that your are only using that multicast address within that subnet. It's not a local address in the same sense that the IP subnet range is.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide