Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
0
Helpful
3
Replies

VACL on C6500

radek_rams
Level 1
Level 1

‎02-19-2017 12:19 PM - edited ‎03-08-2019 09:24 AM

Hello,

I would like to filter traffic on single VLAN on C6500 (software 12.2(33)SXJ4). There are 2 endpoints connected directly to the switch, gateway on another device.

My configuration is pretty simple:

mac access-list extended macl-host-separation
 permit any host 0000.0c07.ac01 
 permit host 0064.403a.abcd any 
 permit host 001d.e53c.abcd any 
 permit any any 806 0
 permit any any 888E 0
 
vlan access-map vlan-separation 10
 match mac address macl-host-separation
 action forward
 
vlan filter vlan-separation vlan-list  371

First 3 entries in acl is communication from/to gateway. Next is ARP and EAPOL protocols.

After applying configuration 2 endpoints are still able to communicate each other - ICMP is working. I've tried to add explicit deny for IP but still without success:

mac access-list extended macl-deny-all-ip
 permit any any ip
 
vlan access-map vlan-sepraration 20
 match mac address macl-deny-all-ip
 action drop

Any hint what I am missing here?

Labels:
0 Helpful
3 Replies 3

Julio E. Moisa
VIP
VIP

‎02-19-2017 01:07 PM

Hi

Please let me take a look of your config, the VACL must be configured for inbound and outbound traffic, it works as a sequence, similar to route-maps.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Julio E. Moisa

‎02-19-2017 01:35 PM

For example, your configuration could be:

* ACCESS-LISTS

mac access-list extended macl-host-separation-OUT  (traffic going out)
permit host 0000.0c07.ac01  any
permit host 0064.403a.abcd any
permit host 001d.e53c.abcd any
permit any any 806 0
permit any any 888E 0

mac access-list extended macl-host-separation-IN   (allowing the communication in both ways)
permit any host 0000.0c07.ac01 
permit any host 0064.403a.abcd 
permit any host 001d.e53c.abcd  
permit any 806 0 any
permit any 888E 0 any 

** ACCESS-MAPS


vlan access-map VLAN-SEPARATION-MAP 5
match mac address macl-host-separation-OUT
action forward

vlan access-map VLAN-SEPARATION-MAP 10
match mac address macl-host-separation-IN
action forward

vlan access-map VLAN-SEPARATION-MAP 100
action drop

The last map is used to deny everything else

** APPLYING TO VLAN


vlan filter VLAN-SEPARATION-MAP vlan-list 371

I have configured VACL but with IP addresses but the design should be the same, you must enable the communication in both ways because it is not stateful

Please rate the comment if it was useful.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

radek_rams
Level 1
Level 1
In response to Julio E. Moisa

‎02-20-2017 05:54 AM

Julio,

my problem is not lack of communication. My problem is that mac access-list is not blocking traffic as I expected.

Entries you propose are incorect. 

permit any 806 0 any
permit any 888E 0 any 

For mac acl ether-type is always at the end of each entry.

I suspect that mac access-list does not work for IP traffic:

http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4

MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN

I will try to filer traffic using IP ACL but I will be tricky to write one-fits-all ACL.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card