Solved: Re: VACL design question

mahesh18 · ‎07-09-2012

Hi everyone,

I have question here about VACL.

I have 2 - 3550 switches running HSRP.

They have vlan 10,20 and 30 configured.

3550A is Active for vlans 10,20 and 30.

3550A then connects to layer 2 switches A and B.

Layer 2 Switch A has vlan 10

Layer 2 switch B has vlan 20.

These switches connect to Router for Internet.

Vlan 10 subnet is 192.168.10.0

Layer 2 switch A IP 192.168.10.5

I was configuring VACL to test so that from 3550A switch under vlan 10 I should not be able to telnet layer 2 switch A IP which is vlan 10.

Rest everything should work fine.

I did config the vacl and applied it but I was unable to ping or telnet to IP 192.168.10.5.

Also i was unable to ping the 3550B switch vlan 10 which is standby 192.168.10.2

Is there something wrong I am doing need to confirm with you guys?

Config I applied to 3550A

3550SMIA(config)#ip access-list extended telnet

3550SMIA(config-ext-nacl)#deny tcp 192.168.10.0 0.0.0.255 eq 23 192.168.10.5 ?

A.B.C.D Destination wildcard bits

3550SMIA(config-ext-nacl)#$2.168.10.0 0.0.0.255 eq 23 192.168.10.5 0.0.0.0

3550SMIA(config-ext-nacl)#permit ip any any

3550SMIA(config)#vlan access-map switch 10

3550SMIA(config-access-map)#match ip address telnet

3550SMIA(config-access-map)#action drop

3550SMIA(config-access-map)#vlan access-map switch 20

3550SMIA(config-access-map)#action forward

3550SMIA(config-access-map)#end

3550SMIA#config t

3550SMIA(config)#vlan filter switch vlan-list 10

3550SMIA(config)#end

Thanks

MAhesh

Message was edited by: mahesh parmar

Giuseppe Larosa · ‎07-09-2012

Hello Mahesh,

your are dropping all traffic because of that permit ip any any at the end of the IP ACL with name telnet

remove that line and write the ACL to match the telnet traffic the action drop is in the calling VACL so you don't need to deny it in the IP ACL.

ip access-list extended telnet2

permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.5 eq 23

then you use

vlan access-map SWITCH 10

match ip address telnet2

action drop

vlan access-map SWITCH 20

action forward

vlan filter SWITCH vlan-list 10

It is better to use capital letters for the name of objects you define that switch was looking like a keyword!

Hope to help

Giuseppe

View solution in original post

John Blakley · ‎07-09-2012

Gotcha!

What Giuseppe gave you should've worked. Did you apply the vacl to the vlan? How are you trying to telnet into the switch and from what address?

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Giuseppe Larosa · ‎07-10-2012

Hello Mahesh,

I cannot open the network diagram.

However, what you have done with the VACL is to block telnet connections coming from 192.168.10.0/24 to 192.168.10.5 if they go through the multilayer switch where the VACL is applied.

So a PC directly connected to the switch with IP address 192.168.10.5 to a switchport in Vlan10, and with an IP address in the same IP subnet is not blocked as the frame remains internal to the switch and does not travel to the multilayer switch where you have applied the VACL.

In addition to this, if a device has an IP in a different IP subnet like switchB that should be in the IP subnet associated to Vlan20 according to your original post it is allowed to telnet to 192.168.10.5.

To block this telnet attempt the IP ACL has to be modified adding the following line

access-list extended telnet2

permit tcp host host 192.168.10.5 eq 23

I guess that all devices that are not allowed to telnet to 192.168.10.5 have IP address in IP subnet 192.168.10.0/24 and if it so, it is proof that the VACL is in effect.

Hope to help

Giuseppe

View solution in original post

Warren.Arthur · ‎07-09-2012

you should permit telnet with the access list an then do an action drop under your vlan access map

Sent from Cisco Technical Support iPhone App

Giuseppe Larosa · ‎07-09-2012

Hello Mahesh,

your are dropping all traffic because of that permit ip any any at the end of the IP ACL with name telnet

remove that line and write the ACL to match the telnet traffic the action drop is in the calling VACL so you don't need to deny it in the IP ACL.

ip access-list extended telnet2

permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.5 eq 23

then you use

vlan access-map SWITCH 10

match ip address telnet2

action drop

vlan access-map SWITCH 20

action forward

vlan filter SWITCH vlan-list 10

It is better to use capital letters for the name of objects you define that switch was looking like a keyword!

Hope to help

Giuseppe

mahesh18 · ‎07-09-2012

Hi Giuseppe,

Thanks for reply.

I did exactly as you said.

But i am able to telnet IP 192.168.10.5 from 3550A switch.

Telnet is not blocked.

Every type of traffic is going .

Thanks

MAhesh

Giuseppe Larosa · ‎07-09-2012

Hello Mahesh,

what is the IP address of the other switch?

Hope to help

Giuseppe

mahesh18 · ‎07-09-2012

Hi,

IP of layer 2 Switch on Vlan 10 only is 192.168.10.5

Thanks

John Blakley · ‎07-09-2012

Mahesh,

Instead of using vacls for this reason, why don't you create an acl and apply it to the line. If you're only wanting to deny users from this subnet, you can do something like:

access-list 10 deny 192.168.10.0 0.0.0.255

access-list 10 permit any

line vty 0 4

access-class 10 in

You would apply this on your L2 switch and it would accomplish the same thing....

HTH,

John

HTH, John *** Please rate all useful posts ***

mahesh18 · ‎07-09-2012

Hi John,

Only reason i am using VACL is that i am preparing for CCNP Switch exam.

So i need to understand and implement VACL better so that i can understand it better.

Thanks

MAhesh

John Blakley · ‎07-09-2012

Gotcha!

What Giuseppe gave you should've worked. Did you apply the vacl to the vlan? How are you trying to telnet into the switch and from what address?

John

HTH, John *** Please rate all useful posts ***

mahesh18 · ‎07-09-2012

Hi john,

I hace applied VACL to vlan 10.

I tried to telnet from PC which has port on switch 2950A on vlan 10.

I am able to telnet from there.

Also i tried to telnet from 3550A switch and it worked.

I am attaching diagram of my home lab under original post*************************************

That will give you bigger picture.

Thanks for helping John

Mahesh

mahesh18 · ‎07-09-2012

Hi John,

This is what i found on further testing

If you look at diagram -- Telnet from 2691 or 2650 Router and 3550B switch does not work.

But telnet works from 3550A switch

Can you please tell me why telnet works from 3550A switch?

Thanks

MAhesh

Giuseppe Larosa · ‎07-10-2012

Hello Mahesh,

I cannot open the network diagram.

However, what you have done with the VACL is to block telnet connections coming from 192.168.10.0/24 to 192.168.10.5 if they go through the multilayer switch where the VACL is applied.

So a PC directly connected to the switch with IP address 192.168.10.5 to a switchport in Vlan10, and with an IP address in the same IP subnet is not blocked as the frame remains internal to the switch and does not travel to the multilayer switch where you have applied the VACL.

In addition to this, if a device has an IP in a different IP subnet like switchB that should be in the IP subnet associated to Vlan20 according to your original post it is allowed to telnet to 192.168.10.5.

To block this telnet attempt the IP ACL has to be modified adding the following line

access-list extended telnet2

permit tcp host host 192.168.10.5 eq 23

I guess that all devices that are not allowed to telnet to 192.168.10.5 have IP address in IP subnet 192.168.10.0/24 and if it so, it is proof that the VACL is in effect.

Hope to help

Giuseppe

mahesh18 · ‎07-10-2012

Hi Giuseppe,

Thanks for reply back.

I removed and added the diagram again it is in visio.

Also Telnet only works from 3550A switch from other switches like 3550B it does not work.

Also i tried from routers in different subnet telnet does not work.

As per your explanation 3550A switch is active for vlan 10 HSRP state when it telnet from this switch it works.

Need to confirm things below

1>So reason for telnet working from this switch is Vlan 10 is internal to this switch and in active HSRP state ???

2>But 3550B has HSRP vlan 10 in standby state -- telnet does not work from reason for this is that vlan 10 is internal

but in standby state right?????

Thanks

MAhesh

Giuseppe Larosa · ‎07-10-2012

Hello Mahesh,

the VACL applies to frames that go through the switch you have applied the VACL to if they enter a switchport in vlan10.

What switch is the VACL applied to and what model is the switch?

HSRP state does not matter at all, it provides default gateway to clients.

Hope to help

Giuseppe

mahesh18 · ‎07-10-2012

Hi Giuseppe,

VACL is applied to switch 3550A IP 192.168.10.1

Thanks

MAhesh