Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
0
Replies

Vlan Access MAP issue 3560

Istvan kelemen
Level 1
Level 1

‎11-27-2014 09:29 AM - edited ‎03-07-2019 09:41 PM

Hello,

 

I am learning for CCNP Switch and I am doing VLAN access map labs.

 

So  have 2 vlans and 2 subnets

 

vlan 20 10.20.0.0/24

vlan 30 10.30.0.0/24

 

I want to accomplish the following: vlan 30, 10.30.0.0/24 should not be able to ping the SVI's: 10.30.0.1 and 10.20.0.1 

What i think it might not be possible to deny 10.30.0.1 because this basically L2 only traffic, but it should block the ping coming from vlan 30 to vlan 20 SVI.

 

The vlan access map is successfully filtering the ping requests from 10.30.0.0/24 to 10.20.0.100 but not to the SVI's.

 

However if I add vlan 30 to "vlan filter DENY_ICMP vlan-list 20,30" it filters out the requests from vlan 30 to the SVI's. Why does not it filter pint to the SVI's from 10.30.0.0/24 without adding vlan 30 to the filter list and why does it filter ping from 10.30.0.0/24 only to 10.20.0.100 and not to the SVI's?

 

I assume this command "vlan filter DENY_ICMP vlan-list XX" applies both inbound and outbound, right?

But in this case my following supposition is not correct:

As i think it should neither block ping from 10.30.0.0/24 to the SVI's nor to 10.20.0.100 if vlan 30 is not added to the vlan filter list or it should block both.

 

Here is the relevant config:

 

 

ip routing

 

interface Vlan20
 ip address 10.20.0.1 255.255.255.0
 no ip mroute-cache

interface Vlan30
 ip address 10.30.0.1 255.255.255.0
 no ip mroute-cache

 

 

access-list 100 deny icmp any any echo-reply
access-list 100 permit icmp 10.30.0.0 0.0.0.255 10.30.0.1 0.0.0.0
access-list 100 permit icmp 10.30.0.0 0.0.0.255 10.20.0.1 0.0.0.0
access-list 100 permit icmp 10.30.0.0 0.0.0.255 10.20.0.0 0.0.0.255


vlan access-map DENY_ICMP 10
 action drop
 match ip address 100
vlan access-map DENY_ICMP 20
 action forward


vlan filter DENY_ICMP vlan-list 20

 

 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/11
                                                Fa0/12, Fa0/13, Fa0/14, Fa0/22
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
10   VLAN0010                         active
20   VLAN0020                         active    Fa0/20
21   VLAN0021                         active
30   VLAN0030                         active    Fa0/21

 

 

Extended IP access list 100
    10 deny icmp any any echo-reply
    20 permit icmp 10.30.0.0 0.0.0.255 host 10.30.0.1
    30 permit icmp 10.30.0.0 0.0.0.255 host 10.20.0.1
    40 permit icmp 10.30.0.0 0.0.0.255 10.20.0.0 0.0.0.255

 

 

Vlan access-map "DENY_ICMP"  10
  Match clauses:
    ip  address: 100
  Action:
    drop
Vlan access-map "DENY_ICMP"  20
  Match clauses:
  Action:
    forward

 

 

 

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Mon 03-Mar-14 22:36 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

SW3-3560 uptime is 1 hour, 44 minutes
System returned to ROM by power-on
System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE9.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3560-24PS (PowerPC405) processor (revision F0) with 131072K bytes of memory.
Processor board ID CAT0825N35Q
Last reset from power-on
4 Virtual Ethernet interfaces
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:11:92:4B:5B:00
Motherboard assembly number     : 73-9299-01
Power supply part number        : 341-0029-03
Motherboard serial number       : CAT08250195
Power supply serial number      : DTH082121XG
Model revision number           : F0
Motherboard revision number     : E0
Model number                    : WS-C3560-24PS-S
System serial number            : CAT0825N35Q
Top Assembly Part Number        : 800-24791-01
Top Assembly Revision Number    : H0
Version ID                      : N/A
Hardware Board Revision Number  : 0x09


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 26    WS-C3560-24PS      12.2(55)SE9           C3560-IPSERVICESK9-M


Configuration register is 0xF

 

Thanks!

 

BR,

István

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents