Solved: Re: Vlan Access map

adamgibs7 · ‎03-28-2018

Dears,

I want to block traffic within the subnet 172.27.1.0/24 to reach each other but i have 4 no's of printers (IP's 249,250,251,252 ) in the same subnet that has to be reachable from the pc in the subnet, how I shld create a Vlan access map policy for this type of scenario

thanks

gs.skills · ‎03-31-2018

Ok,
I just verified: the return traffic from your printers is ~~denied~~ dropped
you need to also match the reverse flow in the allowpc
(and btw the deny at the end is not required, there is an implicit deny like you stated)
Regards, Guillaume

View solution in original post

Diana Karolina Rojas · ‎03-28-2018

Hello,

I think you have to create an access-map with 3 sentences, in the first you have to use an extended ACL with "permit" clauses for your 3 printers, this access-map sentence have to be "forwarder"

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252

deny ip 172.27.1.0 0.0.0.255 any

In the second you have to deny the traffic between the host, so you have to use the permit in your ACL but have to use "drop" in your access-map sentence.

permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255

deny ip 172.27.1.0 0.0.0.255 any

And in the last one, you have to permit everything else, so you have to use "permit" in your ACL and "forward" in you access-map sentence

permit ip 172.27.1.0 0.0.0.255 any

I hope this can be useful for you

----Please do not forget to rate useful post----

Regards,

adamgibs7 · ‎03-28-2018

Dear

You mean to say like below it should be???

ip access-list extended WITHIN-VLAN40-ACCESS

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252

deny ip 172.27.1.0 0.0.0.255 any -------------------WHY WE NEED THIS HERE

ip access-list extended INTRA-VLAN-COMMUNICATION

permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255

deny ip 172.27.1.0 0.0.0.255 any-------------------WHY WE NEED THIS HERE

ip access-list extended ALLOW-ALL

permit ip 172.27.1.0 0.0.0.255 any

vlan access-map BLOCK-INTRA-SUBNET 10
match ip address WITHIN-VLAN40-ACCESS
action forward
vlan access-map BLOCK-INTRA-SUBNET 19
match ip address INTRA-VLAN-COMMUNICATION
action drop

vlan access-map BLOCK-INTRA-SUBNET 20

match ip address ALLOW-ALL-------------------WHY WE NEED THIS HERE by defualt it will be permitted
action forward

Diana Karolina Rojas · ‎03-28-2018

Yes sorry, I had forgotten that the default behavior is to forward, so you only need this:

ip access-list extended WITHIN-VLAN40-ACCESS

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252

deny ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255 -------------------WHY WE NEED THIS HERE (Because you need to tell the device that this traffic will be evaluated in the next statement)

ip access-list extended INTRA-VLAN-COMMUNICATION

permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255

-----------------Do not forget to rate useful post, this will encourage us to continue our contributions to the community---------------------

Regards,

adamgibs7 · ‎03-28-2018

Thanks for the reply

so the configs should look like this

ip access-list extended WITHIN-VLAN40-ACCESS

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252

deny ip 172.27.1.0 0.0.0.255 any

ip access-list extended INTRA-VLAN-COMMUNICATION

permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255

deny ip 172.27.1.0 0.0.0.255 any-------------------WHY WE NEED THIS HERE

vlan access-map BLOCK-INTRA-SUBNET 10
match ip address WITHIN-VLAN40-ACCESS
action forward
vlan access-map BLOCK-INTRA-SUBNET 19
match ip address INTRA-VLAN-COMMUNICATION
action drop

vlan access-map BLOCK-INTRA-SUBNET 20

action forward

Diana Karolina Rojas · ‎03-28-2018

The final configuration shuld be like:

ip access-list extended WITHIN-VLAN40-ACCESS

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.249

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.250

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.251

permit ip 172.27.1.0 0.0.0.255 host 172.27.1.252

deny ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255

ip access-list extended INTRA-VLAN-COMMUNICATION

permit ip 172.27.1.0 0.0.0.255 172.27.1.0 0.0.0.255

vlan access-map BLOCK-INTRA-SUBNET 10
match ip address WITHIN-VLAN40-ACCESS
action forward
vlan access-map BLOCK-INTRA-SUBNET 19
match ip address INTRA-VLAN-COMMUNICATION
action drop
vlan access-map BLOCK-INTRA-SUBNET 20

action forward

-----------------Do not forget to rate useful post, this will encourage us to continue our contributions to the community---------------------

Regards,

adamgibs7 · ‎03-29-2018

Dears,

the final configuration didn't worked for me,

adamgibs7 · ‎03-30-2018

Dear

Anybody can help me for the configuration or where things are missing

thanks

gs.skills · ‎03-30-2018

Hello,
did you apply your VACL on your VLAN?
vlan filter BLOCK-INTRA-SUBNET vlan-list ....

Regards,
Guillaume

adamgibs7 · ‎03-30-2018

Dears

Thanks for the reply

yes I applied, and I tried to ping the printers but no success, are there any debugs or show commands that can been seen the traffic is hitting to the Vlan access map, becz the access-list log keyword doesn't work with Vlan access-map, it gives the prompts of error cannot be used with Vlan access map

Thanks

adamgibs7 · ‎03-31-2018

Dears,

the above configuration i tried with a lab switch and it doesn't work ??

Any hints or any other way around to solve the issue

thanks

gs.skills · ‎03-31-2018

Hello,

you can post operational states of your switch like:

show vlan brief

show vlan filter

show access-lists (you should see the matches here)

show vlan access-map

you could also use private vlan to get the same behavior as you expect (if your switch support it)

Regards,

Guillaume

adamgibs7 · ‎03-31-2018

here are the configs,

is it they are supported in the 2960XR switches with IOS c2960x-universalk9-mz.152-6.E.bin , i have seen the configuration guide where it shows me the Vlan access-map can be configured in 2960xr but , I have a cisco ip telephony and voice Vlan are assigned on the interface so i cannot use private vlans

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960xr/software/15-2_5_e/configuration_guide/b_1525e_consolidated_2960xr_cg/b_1525e_consolidated_2960xr_cg_chapter_01000011.html#d36908e651a1635

Switch#sh vlan access-map
Vlan access-map "block" 10
Match clauses:
    ip address: allowpc
Action:
    forward
Vlan access-map "block" 20
Match clauses:
    ip address: denypc
Action:
    drop
Vlan access-map "block" 30
Match clauses:
Action:
    forward

Switch#sh access-lists
Extended IP access list allowpc
    10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.108 eq 3389
    20 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Extended IP access list denypc
    10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Switch#sh vlan filter
VLAN Map block is filtering VLANs:
1
Switch#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/14, Fa0/15
                                                Fa0/16, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/24, Gi0/1
                                                Gi0/2
2    Services              active    Fa0/1, Fa0/2, Fa0/12

thanks

gs.skills · ‎03-31-2018

Hello,
vlan access-maps filter ip traffic if the match is an ip acl (but not with a mac acl).
Your access-lists do not match the behavior and the subnet of your first post.
You can add the log keyword to the drop action.
Regards, Guillaume

adamgibs7 · ‎03-31-2018

thanks for replying the post

As i mentioned in my previous post that i am testing this in lab environment instead of production to sort out the same issue lies in LAB and the same reflected in the LAB also, In my production the first post access-list are applied and configured the current post access-list are also similar except Class C, which doesn't make any difference for the things to work, Please correct me if I'm wrong.

Thanks