07-09-2012 10:54 AM - edited 03-07-2019 07:40 AM
Hi everyone,
I have question here about VACL.
I have 2 - 3550 switches running HSRP.
They have vlan 10,20 and 30 configured.
3550A is Active for vlans 10,20 and 30.
3550A then connects to layer 2 switches A and B.
Layer 2 Switch A has vlan 10
Layer 2 switch B has vlan 20.
These switches connect to Router for Internet.
Vlan 10 subnet is 192.168.10.0
Layer 2 switch A IP 192.168.10.5
I was configuring VACL to test so that from 3550A switch under vlan 10 I should not be able to telnet layer 2 switch A IP which is vlan 10.
Rest everything should work fine.
I did config the vacl and applied it but I was unable to ping or telnet to IP 192.168.10.5.
Also i was unable to ping the 3550B switch vlan 10 which is standby 192.168.10.2
Is there something wrong I am doing need to confirm with you guys?
Config I applied to 3550A
3550SMIA(config)#ip access-list extended telnet
3550SMIA(config-ext-nacl)#deny tcp 192.168.10.0 0.0.0.255 eq 23 192.168.10.5 ?
A.B.C.D Destination wildcard bits
3550SMIA(config-ext-nacl)#$2.168.10.0 0.0.0.255 eq 23 192.168.10.5 0.0.0.0
3550SMIA(config-ext-nacl)#permit ip any any
3550SMIA(config)#vlan access-map switch 10
3550SMIA(config-access-map)#match ip address telnet
3550SMIA(config-access-map)#action drop
3550SMIA(config-access-map)#vlan access-map switch 20
3550SMIA(config-access-map)#action forward
3550SMIA(config-access-map)#end
3550SMIA#config t
3550SMIA(config)#vlan filter switch vlan-list 10
3550SMIA(config)#end
Thanks
MAhesh
Message was edited by: mahesh parmar
Solved! Go to Solution.
07-09-2012 11:07 AM
Hello Mahesh,
your are dropping all traffic because of that permit ip any any at the end of the IP ACL with name telnet
remove that line and write the ACL to match the telnet traffic the action drop is in the calling VACL so you don't need to deny it in the IP ACL.
ip access-list extended telnet2
permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.5 eq 23
then you use
vlan access-map SWITCH 10
match ip address telnet2
action drop
vlan access-map SWITCH 20
action forward
vlan filter SWITCH vlan-list 10
It is better to use capital letters for the name of objects you define that switch was looking like a keyword!
Hope to help
Giuseppe
07-09-2012 05:19 PM
Gotcha!
What Giuseppe gave you should've worked. Did you apply the vacl to the vlan? How are you trying to telnet into the switch and from what address?
John
07-10-2012 12:08 AM
Hello Mahesh,
I cannot open the network diagram.
However, what you have done with the VACL is to block telnet connections coming from 192.168.10.0/24 to 192.168.10.5 if they go through the multilayer switch where the VACL is applied.
So a PC directly connected to the switch with IP address 192.168.10.5 to a switchport in Vlan10, and with an IP address in the same IP subnet is not blocked as the frame remains internal to the switch and does not travel to the multilayer switch where you have applied the VACL.
In addition to this, if a device has an IP in a different IP subnet like switchB that should be in the IP subnet associated to Vlan20 according to your original post it is allowed to telnet to 192.168.10.5.
To block this telnet attempt the IP ACL has to be modified adding the following line
access-list extended telnet2
permit tcp host
I guess that all devices that are not allowed to telnet to 192.168.10.5 have IP address in IP subnet 192.168.10.0/24 and if it so, it is proof that the VACL is in effect.
Hope to help
Giuseppe
07-09-2012 11:00 AM
you should permit telnet with the access list an then do an action drop under your vlan access map
Sent from Cisco Technical Support iPhone App
07-09-2012 11:07 AM
Hello Mahesh,
your are dropping all traffic because of that permit ip any any at the end of the IP ACL with name telnet
remove that line and write the ACL to match the telnet traffic the action drop is in the calling VACL so you don't need to deny it in the IP ACL.
ip access-list extended telnet2
permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.5 eq 23
then you use
vlan access-map SWITCH 10
match ip address telnet2
action drop
vlan access-map SWITCH 20
action forward
vlan filter SWITCH vlan-list 10
It is better to use capital letters for the name of objects you define that switch was looking like a keyword!
Hope to help
Giuseppe
07-09-2012 01:16 PM
Hi Giuseppe,
Thanks for reply.
I did exactly as you said.
But i am able to telnet IP 192.168.10.5 from 3550A switch.
Telnet is not blocked.
Every type of traffic is going .
Thanks
MAhesh
07-09-2012 01:28 PM
Hello Mahesh,
what is the IP address of the other switch?
Hope to help
Giuseppe
07-09-2012 01:38 PM
Hi,
IP of layer 2 Switch on Vlan 10 only is 192.168.10.5
Thanks
07-09-2012 02:23 PM
Mahesh,
Instead of using vacls for this reason, why don't you create an acl and apply it to the line. If you're only wanting to deny users from this subnet, you can do something like:
access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any
line vty 0 4
access-class 10 in
You would apply this on your L2 switch and it would accomplish the same thing....
HTH,
John
07-09-2012 03:09 PM
Hi John,
Only reason i am using VACL is that i am preparing for CCNP Switch exam.
So i need to understand and implement VACL better so that i can understand it better.
Thanks
MAhesh
07-09-2012 05:19 PM
Gotcha!
What Giuseppe gave you should've worked. Did you apply the vacl to the vlan? How are you trying to telnet into the switch and from what address?
John
07-09-2012 07:19 PM
Hi john,
I hace applied VACL to vlan 10.
I tried to telnet from PC which has port on switch 2950A on vlan 10.
I am able to telnet from there.
Also i tried to telnet from 3550A switch and it worked.
I am attaching diagram of my home lab under original post*************************************
That will give you bigger picture.
Thanks for helping John
Mahesh
07-09-2012 07:37 PM
Hi John,
This is what i found on further testing
If you look at diagram -- Telnet from 2691 or 2650 Router and 3550B switch does not work.
But telnet works from 3550A switch
Can you please tell me why telnet works from 3550A switch?
Thanks
MAhesh
07-10-2012 12:08 AM
Hello Mahesh,
I cannot open the network diagram.
However, what you have done with the VACL is to block telnet connections coming from 192.168.10.0/24 to 192.168.10.5 if they go through the multilayer switch where the VACL is applied.
So a PC directly connected to the switch with IP address 192.168.10.5 to a switchport in Vlan10, and with an IP address in the same IP subnet is not blocked as the frame remains internal to the switch and does not travel to the multilayer switch where you have applied the VACL.
In addition to this, if a device has an IP in a different IP subnet like switchB that should be in the IP subnet associated to Vlan20 according to your original post it is allowed to telnet to 192.168.10.5.
To block this telnet attempt the IP ACL has to be modified adding the following line
access-list extended telnet2
permit tcp host
I guess that all devices that are not allowed to telnet to 192.168.10.5 have IP address in IP subnet 192.168.10.0/24 and if it so, it is proof that the VACL is in effect.
Hope to help
Giuseppe
07-10-2012 07:19 AM
Hi Giuseppe,
Thanks for reply back.
I removed and added the diagram again it is in visio.
Also Telnet only works from 3550A switch from other switches like 3550B it does not work.
Also i tried from routers in different subnet telnet does not work.
As per your explanation 3550A switch is active for vlan 10 HSRP state when it telnet from this switch it works.
Need to confirm things below
1>So reason for telnet working from this switch is Vlan 10 is internal to this switch and in active HSRP state ???
2>But 3550B has HSRP vlan 10 in standby state -- telnet does not work from reason for this is that vlan 10 is internal
but in standby state right?????
Thanks
MAhesh
07-10-2012 09:44 AM
Hello Mahesh,
the VACL applies to frames that go through the switch you have applied the VACL to if they enter a switchport in vlan10.
What switch is the VACL applied to and what model is the switch?
HSRP state does not matter at all, it provides default gateway to clients.
Hope to help
Giuseppe
07-10-2012 11:05 AM
Hi Giuseppe,
VACL is applied to switch 3550A IP 192.168.10.1
Thanks
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide