Re: VACL not filtering based on destinations.

ricardolainez · ‎09-04-2012

Ok so I'm taking the Cisco Switching course and I'm currently at VACLs, but have found that I can't quite get them to work the way I want to.

Basically what I'm trying to do is to apply a VACL at a certain access layer switch so that a specific PC can only reach the default gateway for its subnet, but no other devices there. My idea to achieve this is to create a MAC access-list matching the MAC address of the PC to be limited, and an extended IP access-list that can match based on IP destination to the subnet gateway.

The problem is that it would appear that the VLAN access-map does filter based on the source MAC, but not based on the destination IP (or destination MAC either, I tried that way as well). It's as if the "match ip addres" line in the map wasn't even there. Here is my configuration, hope someone can give me a hint on why it's not working:

mac access-list extended MAC_ACL

permit host 78e3.b561.30bf any

...

ip access-list extended IP_ACL

permit ip any host 10.0.200.1

permit icmp any host 10.0.200.1

...

vlan access-map VACL 10

action drop

match mac address MAC_ACL

match ip address IP_ACL

vlan access-map VACL 30

action forward

vlan filter VACL vlan-list 200

...

Thanks in advance.

Peter Paluch · ‎09-04-2012

Hi Ricardo,

I assume you are using either a 2960 Catalyst running some very recent IOS version, or a 3560/3750 Catalyst.

On these platforms, MAC ACLs apply only to non-IPv4 traffic, while IP ACLs apply only to IP traffic. In other words, it is not possible to filter frames that carry IPv4 packets using MAC ACLs, even if they are used inside VACLs. If a single VACL block refers to both IP and MAC ACLs, they work in a logical OR fashion - i.e. IP traffic is handled by the IP ACL while non-IP traffic is handled by the MAC ACL.

I suggest first trying to use a single ACL in your VACL. Using both MAC and IP ACL in a single VLAN block makes it more complex to debug. Remember that on Ethernet, a successful IP operation depends both on IP traffic (the IP packets you are sending/receiving) and ARP (a non-IP traffic, thus handled by MAC ACLs if present).

Using extended ACLs based on destination IP or MAC should work just fine - but as explained, I suggest making more simple experiments first, using just a single ACL type in your VACLs.

Please try it out and let us know!

Best regards,

Peter

ricardolainez · ‎09-05-2012

Thanks for your reply Peter.
I'm actually using a 3550, I'm not sure about the IOS version but I will post it here as soon as I confirm it.

As I mentioned in the original post, I also tried the filtering using only MAC addresses, the configuration was something like this:

mac access-list extended MAC_ACL

deny host 78e3.b561.30bf host xxxx.xxxx.xxxx (Gateway MAC)

permit host 78e3.b561.30bf any

vlan access-map VACL 10

action drop

match mac address MAC_ACL

vlan access-map VACL 30

action forward

vlan filter VACL vlan-list 200

If I recall correctly the effect of this configuration was that it blocked all traffic coming from the source address regardless of what destination address it had. In the end this didn't work either, so like I said before, the problem is that it would seem not to be paying attention to any destination information I want to filter by, whether it's IP or MAC.

Alessio Andreoli · ‎09-05-2012

Hi Ricardo,

possibly here what you are looking for:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html#wp1174694

Take Care

Alessio

Update: Maybe you have an old IOS? Did you try to upgrade it and to see what functionalities you get with the latest IOS for 3550? It seems strange that Cisco is documenting somenthing that will not work .... Which IOS are you running?

ricardolainez · ‎09-05-2012

Thanks Alessio,

According to that documentation, VACLs should be able to use IP addresses for filtering, but it won't work =(

There's also the option of using Port-ACLs, and I will also try that, but I would like to make it work with a VACL, or at least understand why it doesn't work.

Peter Paluch · ‎09-05-2012

Hi Ricardo,

Have you tried - as I suggested - to use only IP ACLs in your VACLs?

Best regards,

Peter

ricardolainez · ‎09-05-2012

Hey Peter,

Sorry, I did another take on your first reply and I understood your meaning much better. I won't be able to test this until later today but I will try to do IP ACL only, which is the one thing I have left to try. Thanks again.