Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
2
Replies

VACL Confusion...

MrPrince1979
Level 1
Level 1

‎01-12-2011 01:53 PM - edited ‎03-06-2019 02:57 PM

Hi,

Wondering if someone can clear up some VACL confusion for me… The test network I’m working on is very basic and looks like this:

VLAN 206: 10.1.6.0 255.255.255.240
------
PC1:  10.1.6.1
PC2:  10.1.6.2
PC3:  10.1.6.3
PC4:  10.1.6.4
------
SVI:  10.1.6.14

I’m trying configure a VACL where:

  1. All PCs are permitted to communicate with the SVI
  2. All PCs are denied communicating to each other – Except PC1 should be permitted to ssh to PC2

My current config concerning this looks like:

ip access-list extended VMAP206-Permit
permit ip 10.1.6.0 0.0.0.15 host 10.1.6.14
permit ip host 10.1.6.14 10.1.6.0 0.0.0.15
permit tcp host 10.1.6.1 host 10.1.6.2 eq ssh
permit tcp host 10.1.6.2 host 10.1.6.1 eq ssh
exit
!
vlan access-map VMAP206 10
action forward
match ip address VMAP206-Permit
exit
!
vlan access-map VMAP206 20
action drop
exit
!
vlan filter VMAP206 vlan 206

When I apply the list no traffic gets through anywhere. Fundamentally where am I going wrong? Do I have to specifically include vlan traffic travelling to and from the SVI with my ACL? Do I have to include the return traffic with my ACL, I assuming that this isn't stateful.

I'm confused... Any help appreciated.

Thanks. (Sorry for the long post! )

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎01-16-2011 12:36 PM

Hi Oliver,

When you apply that VACL, can you at least ping the SVI from the PCs? Alternatively, can you erase the ARP cache on the PCs and check whether it is repopulated correctly when you try to ping the SVI, even if it does not respond?

Regarding the PC1 and PC2 ssh-ing one to another, you may want to correct your ACL as follows:

ip access-list extended VMAP206-Permit
 permit ip 10.1.6.0 0.0.0.15 host 10.1.6.14
 permit ip host 10.1.6.14 10.1.6.0 0.0.0.15
 permit tcp host 10.1.6.1 host 10.1.6.2 eq ssh
 permit tcp host 10.1.6.2 eq ssh host 10.1.6.1
 permit tcp host 10.1.6.2 host 10.1.6.1 eq ssh
 permit tcp host 10.1.6.1 eq ssh host 10.1.6.2
exit

Best regards,

Peter

0 Helpful

MrPrince1979
Level 1
Level 1
In response to Peter Paluch

‎01-16-2011 03:15 PM

Hi Peter,

Thanks for replying. I amending my own ACL and applied yours but the same thing happened. I lost all connectivity in that vlan to all hosts including the gateway as well as other hosts in different networks. I also tried you suggestion and erased the arp cache on my XP machine and tried to ping the gateway, but even though the ping wasn’t successful the arp cache on my workstation still had no entries.

BTW the switches in question are Cat 3560s running ipservicesk9-mz.122-55.SE.bin in HRSP

Any other suggestions?

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card