Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
2
Replies

VLAN access lists issue

Adnan Fakruddin
Level 1
Level 1

‎05-08-2013 01:40 AM - edited ‎03-07-2019 01:14 PM

Hello All,

I'm trying to restrict inter-VLAN traffic from core (cisco 6500) in a way that users in all VLANs only connect to the Data Center and other users in their same VLAN/Subnet.

The way I went ahead was to create first an ACL with "permit" commands stating the subnet & IP addresses of allowed IP devices. Next created a VACL and associated with the ACL and mentioned action as "forwrad". Now only the traffic mentioned in ACL should be forwarded and rest should be dropped.

The config is as follows:

ip access-list standard ACL_TEST

permit 10.100.200.0 0.0.0.255

permit 10.100.210.0 0.0.0.255

(etc. I've mentioned the ips of core, access layer switches etc. as well)

vlan access-map VACL_TEST 10

match ip address ACL_TEST

action forward

vlan filter VACL_TEST vlan-list <vlan number>

Though the above configuration works perfectly, however when the user restarts his computer he is unable to get any IP address.

The core in the network is CISCO and access switch is NORTEL, however I dont feel that is an issue as when the VACL is applied everything works fine till the user restarts his computer.

All the domain, dns servers are in the ACL. Wondering what could be wrong?

Appreciate any help.

Regards,

Adnan

Labels:
0 Helpful
2 Replies 2

mfurnival
Level 4
Level 4

‎05-08-2013 03:49 AM

Your ACL is probably blocking the DHCP request - remember that the DHCP request packet is a broadcast and will not be specifically addressed to your DHCP server IP address (because your PC does not know what it is yet).

Try adding a line to your ACL along the lines of:

permit udp any any eq bootps

0 Helpful

Adnan Fakruddin
Level 1
Level 1
In response to mfurnival

‎05-08-2013 11:19 AM

Thanks mfurnival.

You're probably correct about bootps/bootpc.

However I was using STANDARD ACL and was unable to block udp on it. I tried using EXTENDED ACL with following config.:

ip access-list extended EACL_TEST

permit udp 10.18.15.0 0.0.0.255 eq bootps host 10.10.50.1  ------>Allowing 10.18.15.0 subnet access to DHCP server

permit udp 10.18.15.0 0.0.0.255 eq bootpc host 10.10.50.1    ------->Allowing 10.18.15.0 subnet access to DHCP serv

permit ip 10.18.15.0 0.0.0.255 172.16.50.0 0.0.0.255 ---------> Allowing 10.18.15.0 subnet access to server VLANs

permit ip 10.18.15.0 0.0.0.255 host 172.16.30.45 ----------> Allowing 10.18.15.0 subnet access to printer outside of its VLAN

what I'm trying to achieve is block inter-VLAN communication for about 30 VLANs, however I've some printers in different VLAN which are requried to be accessed by hosts in other VLANs.

0 Helpful
Customers Also Viewed These Support Documents