11-05-2019 11:11 AM
I am working on a solution to block traffic between hosts on the same subnet/VLAN to prevent lateral workstation communications. In my virtual lab (VIRL), I tested configurations using access-list and vlan access-map on IOS switch and it worked fine. When I tested the same exact configuration on a Nx-os (nexus 7K), it didn't appear to be working. When I tested connectivity between 2 hosts connected to the same N7k switch and on same VLAN 351, traffic was still passing and no hits were seen on the ACL.
Both hosts on n7k are connected to a switchport (no ip on the interface) and the switch is trunked to a router (Ios) and has a subinterface for VLAN 351 and has a dhcp pool for VLAN351 for the hosts on VLAN351.
On n7k, switch, created acls, vlan access-map and used vlan filter vacl-name vlan-list 351 to apply the VACL.
Am I missing something in my configurations?
Solved! Go to Solution.
11-09-2019 01:04 AM
Hello,
I just tested the most simple VACL on NX-OSv version 7.3, and it didn't work. I think it is a limitation of the VIRLimages and/or GNS3. VACLs also don't seem to work in the IOSvL2 15.2(4.0.55)E-1 image...
ip access-list acl-100
10 permit ip 172.24.51.2/32 172.24.51.3/32
!
vlan access-map vacl-seg 10
match ip address acl-100
action drop
!
vlan filter vacl-seg vlan-list 200
11-05-2019 11:18 AM
My configs
#Any specific traffic that needs to be allowed on the same VLAN, for example default gateway, DHCP etc
IP access-list acl-100 permit ip 172.24.51.1 0.0.0.0 172.24.51.0 0.0.0.255
IP access-list acl-100 permit ip 172.24.51.0 0.0.0.255 172.24.51.1 0.0.0.0
# deny all intra-VLAN traffic
Ip access-list acl-101 permit ip 172.24.51.0 0.0.0.255 172.24.51.0 0.0.0.255
Ip access-list acl-101 permit udp 172.24.51.0 0.0.0.255 172.24.51.0 0.0.0.255
# default permit
Ip access-list acl-102 permit ip any any
# vlan access-map vacl-seg
vlan access-map vacl-seg 10
match ip address acl-100
action forward
vlan access-map vacl-seg 20
match ip address acl-101
action drop
vlan access-map vacl-seg 30
match ip address acl-102
action forward
#vlan filter vacl-seg vlan-list 200
11-05-2019 12:20 PM - edited 11-05-2019 12:21 PM
Not sure what is the Virtual image you are using to test this :
look at the features support and not support for now :
Edited: i will spin up the later week and let you know if i find the same issue. (physical kit not seen this issue)
11-07-2019 03:24 PM
11-07-2019 04:16 PM
Helo
Your OP seems a bit convuluted, can you clarify what excalty you wish to deny or allow?
11-07-2019 05:29 PM
11-08-2019 01:01 AM - edited 11-08-2019 01:02 AM
Hello
Thanks for the clarification ,So basically you would possibly require something like the below example, which should deny access between hosts in the same vlan be allow access but allow thes hosts in the vlan to reach its own default-gateway.
ip access-list acl-100 permit ip 172.24.51.0 0.0.0.255 host 172.24.51.x (default gateway)
ip access-list acl-100 permit ip host 172.24.51.x 172.24.51.0 0.0.0.255
ip access-list acl-101 permit ip 172.24.51.0 0.0.0.255 172.24.51.0 0.0.0.255
vlan acess-map V2V 10
match ip address 100
action forward
vlan acess-map V2V 20
match ip address 101
action drop
vlan access-map V2V 99
vlan filter V2V vlan-list X
11-08-2019 04:06 AM
11-08-2019 04:18 AM - edited 11-08-2019 03:29 PM
Hello
@raazans01 wrote:
Thanks. So what does vlan access map sequence 99 do?
Also don't I need an acl to permit any any for any incoming or outgoing
traffic from hosts external to this VLAN?
I would envisage youll need comunication to/from your default gateway, As for sequence 99 that is indeed a permit any any so if you dont need it then dont apply it and if you don’t need sew 99 that then you also don’t require seq 20 so you can that remove that also.
11-08-2019 07:33 AM
11-08-2019 07:39 AM
It might be the NX-OS in VIRL. On the older IOSv2 switches, VACLs don't work either. Can you post the full configs so we can lab this in GNS3 (or post the zipped GNS3 project file)...
11-08-2019 08:02 AM
Hello
Just to confirm you are applying it to the router where the L3 interface for vlan 351 resides? and that L3 interface is up?
11-08-2019 08:23 AM
11-08-2019 12:15 PM
Hello
I think you mid-understood my question - I was asking was the vacl applied to the rtr that runs the L3 interface for the vlan not is it appended to the L3 interface.
11-08-2019 12:21 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: