cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
761
Views
0
Helpful
2
Replies
Beginner

VACL Confusion...

Hi,

Wondering if someone can clear up some VACL confusion for me… The test network I’m working on is very basic and looks like this:

VLAN 206: 10.1.6.0 255.255.255.240
------
PC1:  10.1.6.1
PC2:  10.1.6.2
PC3:  10.1.6.3
PC4:  10.1.6.4
------
SVI:  10.1.6.14

I’m trying configure a VACL where:

  1. All PCs are permitted to communicate with the SVI
  2. All PCs are denied communicating to each other – Except PC1 should be permitted to ssh to PC2

My current config concerning this looks like:

ip access-list extended VMAP206-Permit
permit ip 10.1.6.0 0.0.0.15 host 10.1.6.14
permit ip host 10.1.6.14 10.1.6.0 0.0.0.15
permit tcp host 10.1.6.1 host 10.1.6.2 eq ssh
permit tcp host 10.1.6.2 host 10.1.6.1 eq ssh
exit
!
vlan access-map VMAP206 10
action forward
match ip address VMAP206-Permit
exit
!
vlan access-map VMAP206 20
action drop
exit
!
vlan filter VMAP206 vlan 206

When I apply the list no traffic gets through anywhere. Fundamentally where am I going wrong? Do I have to specifically include vlan traffic travelling to and from the SVI with my ACL? Do I have to include the return traffic with my ACL, I assuming that this isn't stateful.

I'm confused... Any help appreciated.

Thanks. (Sorry for the long post! )

Everyone's tags (5)
2 REPLIES 2
Highlighted
Hall of Fame Cisco Employee

Re: VACL Confusion...

Hi Oliver,

When you apply that VACL, can you at least ping the SVI from the PCs? Alternatively, can you erase the ARP cache on the PCs and check whether it is repopulated correctly when you try to ping the SVI, even if it does not respond?

Regarding the PC1 and PC2 ssh-ing one to another, you may want to correct your ACL as follows:

ip access-list extended VMAP206-Permit
permit ip 10.1.6.0 0.0.0.15 host 10.1.6.14
permit ip host 10.1.6.14 10.1.6.0 0.0.0.15
permit tcp host 10.1.6.1 host 10.1.6.2 eq ssh
permit tcp host 10.1.6.2 eq ssh host 10.1.6.1
permit tcp host 10.1.6.2 host 10.1.6.1 eq ssh
permit tcp host 10.1.6.1 eq ssh host 10.1.6.2
exit

Best regards,

Peter

Highlighted
Beginner

Re: VACL Confusion...

Hi Peter,

Thanks for replying. I amending my own ACL and applied yours but the same thing happened. I lost all connectivity in that vlan to all hosts including the gateway as well as other hosts in different networks. I also tried you suggestion and erased the arp cache on my XP machine and tried to ping the gateway, but even though the ping wasn’t successful the arp cache on my workstation still had no entries.

BTW the switches in question are Cat 3560s running ipservicesk9-mz.122-55.SE.bin in HRSP

Any other suggestions?

Thanks.

CreatePlease to create content
Content for Community-Ad