Solved: VLAN access-list

dfultz · ‎08-13-2010

I have written a VACL and have a couple of questions.

It goes like this:

access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14
access-list 104 deny ip any any log

vlan access-map backup_net 10
match ip address 104
action forward

vlan filter backup_net vlan-list 4

I do not get any logs from my deny any any log statement. Am I doing something wrong? Is the something different about logging from extended ip access-list vs. VACL? I need to be able to see what is being dropped with the log command.

Any input would be greatly apprecaited!

Doug

Jayakrishna Mada · ‎08-13-2010

Try this if this is a 6500 switch, if not there is no vacl logging support on other platforms:

access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14

vlan access-map backup_net 10
match ip address 104
action forward

vlan access-map backup_net 10

action drop log

vlan filter backup_net vlan-list 4

Just FYI, not sure if you already know this,

VACL is direction less, traffic in both direction will get affect when you apply this for a VLAN.

Using LOG keyword could cause high cpu

View solution in original post

Jayakrishna Mada · ‎08-13-2010

Try this if this is a 6500 switch, if not there is no vacl logging support on other platforms:

access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14

vlan access-map backup_net 10
match ip address 104
action forward

vlan access-map backup_net 10

action drop log

vlan filter backup_net vlan-list 4

Just FYI, not sure if you already know this,

VACL is direction less, traffic in both direction will get affect when you apply this for a VLAN.

Using LOG keyword could cause high cpu

dfultz · ‎08-13-2010

Mada,

Thank you for the input. This what I ended up using...

access-list 104 remark Allow Netbackup traffic / Deny everything else
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13782
access-list 104 permit tcp 172.16.16.0 0.0.3.255 host 172.16.16.14 eq 13720
access-list 104 permit icmp 172.16.16.0 0.0.3.255 host 172.16.16.14
access-list 104 permit icmp host 172.16.16.14 172.16.16.0 0.0.3.255
access-list 105 remark Drop for backup_net access-map
access-list 105 permit ip any any

vlan access-map backup_net 10
match ip address 104
action forward
vlan access-map backup_net 20
match ip address 105
action drop log

vlan filter backup_net vlan-list 4

Thanks again for pointing me in the right direction!

Doug