03-28-2018 08:17 AM - edited 03-08-2019 02:26 PM
Dears,
I want to block traffic within the subnet 172.27.1.0/24 to reach each other but i have 4 no's of printers (IP's 249,250,251,252 ) in the same subnet that has to be reachable from the pc in the subnet, how I shld create a Vlan access map policy for this type of scenario
thanks
Solved! Go to Solution.
03-31-2018 01:57 PM - edited 03-31-2018 02:00 PM
Ok,
I just verified: the return traffic from your printers is denied dropped
you need to also match the reverse flow in the allowpc
(and btw the deny at the end is not required, there is an implicit deny like you stated)
Regards, Guillaume
03-28-2018 08:38 AM
Hello,
I think you have to create an access-map with 3 sentences, in the first you have to use an extended ACL with "permit" clauses for your 3 printers, this access-map sentence have to be "forwarder"
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252
deny ip 172.27.1.0 0.0.0.255 any
In the second you have to deny the traffic between the host, so you have to use the permit in your ACL but have to use "drop" in your access-map sentence.
permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255
deny ip 172.27.1.0 0.0.0.255 any
And in the last one, you have to permit everything else, so you have to use "permit" in your ACL and "forward" in you access-map sentence
permit ip 172.27.1.0 0.0.0.255 any
I hope this can be useful for you
----Please do not forget to rate useful post----
Regards,
03-28-2018 08:50 AM
Dear
You mean to say like below it should be???
ip access-list extended WITHIN-VLAN40-ACCESS
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252
deny ip 172.27.1.0 0.0.0.255 any -------------------WHY WE NEED THIS HERE
ip access-list extended INTRA-VLAN-COMMUNICATION
permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255
deny ip 172.27.1.0 0.0.0.255 any-------------------WHY WE NEED THIS HERE
ip access-list extended ALLOW-ALL
permit ip 172.27.1.0 0.0.0.255 any
vlan access-map BLOCK-INTRA-SUBNET 10
match ip address WITHIN-VLAN40-ACCESS
action forward
vlan access-map BLOCK-INTRA-SUBNET 19
match ip address INTRA-VLAN-COMMUNICATION
action drop
vlan access-map BLOCK-INTRA-SUBNET 20
match ip address ALLOW-ALL-------------------WHY WE NEED THIS HERE by defualt it will be permitted
action forward
03-28-2018 10:01 AM
Yes sorry, I had forgotten that the default behavior is to forward, so you only need this:
ip access-list extended WITHIN-VLAN40-ACCESS
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252
deny ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255 -------------------WHY WE NEED THIS HERE (Because you need to tell the device that this traffic will be evaluated in the next statement)
ip access-list extended INTRA-VLAN-COMMUNICATION
permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255
-----------------Do not forget to rate useful post, this will encourage us to continue our contributions to the community---------------------
Regards,
03-28-2018 10:25 AM - edited 03-28-2018 10:28 AM
Thanks for the reply
so the configs should look like this
ip access-list extended WITHIN-VLAN40-ACCESS
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252
deny ip 172.27.1.0 0.0.0.255 any
ip access-list extended INTRA-VLAN-COMMUNICATION
permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255
deny ip 172.27.1.0 0.0.0.255 any-------------------WHY WE NEED THIS HERE
vlan access-map BLOCK-INTRA-SUBNET 10
match ip address WITHIN-VLAN40-ACCESS
action forward
vlan access-map BLOCK-INTRA-SUBNET 19
match ip address INTRA-VLAN-COMMUNICATION
action drop
vlan access-map BLOCK-INTRA-SUBNET 20
action forward
03-28-2018 10:45 AM
The final configuration shuld be like:
ip access-list extended WITHIN-VLAN40-ACCESS
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251
permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252
deny ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255
ip access-list extended INTRA-VLAN-COMMUNICATION
permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255
vlan access-map BLOCK-INTRA-SUBNET 10
match ip address WITHIN-VLAN40-ACCESS
action forward
vlan access-map BLOCK-INTRA-SUBNET 19
match ip address INTRA-VLAN-COMMUNICATION
action drop
vlan access-map BLOCK-INTRA-SUBNET 20
action forward
-----------------Do not forget to rate useful post, this will encourage us to continue our contributions to the community---------------------
Regards,
03-29-2018 12:44 AM
Dears,
the final configuration didn't worked for me,
03-30-2018 07:03 AM
Dear
Anybody can help me for the configuration or where things are missing
thanks
03-30-2018 07:11 AM
03-30-2018 07:25 AM - edited 03-30-2018 07:28 AM
Dears
Thanks for the reply
yes I applied, and I tried to ping the printers but no success, are there any debugs or show commands that can been seen the traffic is hitting to the Vlan access map, becz the access-list log keyword doesn't work with Vlan access-map, it gives the prompts of error cannot be used with Vlan access map
Thanks
03-31-2018 10:02 AM
Dears,
the above configuration i tried with a lab switch and it doesn't work ??
Any hints or any other way around to solve the issue
thanks
03-31-2018 11:16 AM
Hello,
you can post operational states of your switch like:
show vlan brief
show vlan filter
show access-lists (you should see the matches here)
show vlan access-map
you could also use private vlan to get the same behavior as you expect (if your switch support it)
Regards,
Guillaume
03-31-2018 12:26 PM - edited 03-31-2018 12:43 PM
here are the configs,
is it they are supported in the 2960XR switches with IOS c2960x-universalk9-mz.152-6.E.bin , i have seen the configuration guide where it shows me the Vlan access-map can be configured in 2960xr but , I have a cisco ip telephony and voice Vlan are assigned on the interface so i cannot use private vlans
Switch#sh vlan access-map
Vlan access-map "block" 10
Match clauses:
ip address: allowpc
Action:
forward
Vlan access-map "block" 20
Match clauses:
ip address: denypc
Action:
drop
Vlan access-map "block" 30
Match clauses:
Action:
forward
Switch#sh access-lists
Extended IP access list allowpc
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.108 eq 3389
20 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Extended IP access list denypc
10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Switch#sh vlan filter
VLAN Map block is filtering VLANs:
1
Switch#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/14, Fa0/15
Fa0/16, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/24, Gi0/1
Gi0/2
2 Services active Fa0/1, Fa0/2, Fa0/12
thanks
03-31-2018 01:13 PM
03-31-2018 01:37 PM
thanks for replying the post
As i mentioned in my previous post that i am testing this in lab environment instead of production to sort out the same issue lies in LAB and the same reflected in the LAB also, In my production the first post access-list are applied and configured the current post access-list are also similar except Class C, which doesn't make any difference for the things to work, Please correct me if I'm wrong.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide