cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2072
Views
0
Helpful
6
Replies

Vlan ACL for cisco 3750--issue

sivakumar.ks
Level 1
Level 1

Hi Guys,

I am confused I am trying to configure vlan access list in cisco 3750. But it is not working. Software version is C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE.

Following is the configuration I tried and it was working in cisco 6500 , but not in 3750 Please help me.

1. inter vlan 211

Description Sharepoint_vlan_public

ip address 10.3.211.1 255.255.255.0

ip access-group Sharepoint1 in

ip access-group sharepoint2 out

no ip redirects

no ip unreachables

2. Access-list to access Vlan 3 and vlan 210 from vlan 211

ip access-list extended Sharepoint1

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 135

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 1025

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 1026

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 389

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 445

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 139

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 53

permit udp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 13255

permit udp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 138

permit udp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 53

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 135

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 1025

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 1026

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 389

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 445

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 139

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 53

permit udp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 13255

permit udp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 138

permit udp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 53

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.161 eq 25

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.46 eq 1433

3. This access-list is for management purpose and return traffic

ip access-list extended Sharepoint2

permit ip 10.3.6.121 0.0.0.0 10.3.211.0 0.0.0.255

permit ip 10.3.6.161 0.0.0.0 10.3.211.0 0.0.0.255

permit ip 10.3.210.46 0.0.0.0 10.3.211.0 0.0.0.255

permit ip 10.3.210.121 0.0.0.0 10.3.211.0 0.0.0.255

permit ip 10.3.140.0 0.0.0.255 10.3.211.0 0.0.0.255

and also I tried VLAN ACL same result which is not working.

vlan access-map sharepoint 10

action forward

match ip address sharepoint

!

vlan filter sharepoint vlan-list 211

ip access-list extended sharepoint

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 135

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 1025

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 1026

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 389

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 445

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 139

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq domain

permit udp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq 13255

permit udp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq netbios-dgm

permit udp 10.3.211.0 0.0.0.255 host 10.3.6.121 eq domain

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 135

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 1025

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 1026

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 389

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 445

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 139

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq domain

permit udp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq 13255

permit udp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq netbios-dgm

permit udp 10.3.211.0 0.0.0.255 host 10.3.210.121 eq domain

permit tcp 10.3.211.0 0.0.0.255 host 10.3.6.161 eq smtp

permit tcp 10.3.211.0 0.0.0.255 host 10.3.210.46 eq 1433

permit ip host 10.3.6.121 10.3.211.0 0.0.0.255

permit ip host 10.3.6.161 10.3.211.0 0.0.0.255

permit ip host 10.3.210.46 10.3.211.0 0.0.0.255

permit ip host 10.3.210.121 10.3.211.0 0.0.0.255

permit ip 10.3.140.0 0.0.0.255 10.3.211.0 0.0.0.255

Please help me to fix the same.

Thanks in advance.

!

1 Accepted Solution

Accepted Solutions

Hi,

I assume your C3750 is the router for this subnet. I mean, the servers are using him as default gateway and the upstream routers use him as next hop to reach the subnet 10.3.211.0/24?

Dario

View solution in original post

6 Replies 6

dario.didio
Level 4
Level 4

Hi,

You don't need to have a VLAN ACL in your case.

VLAN ACLs are used to prevent devices in the same VLAN from communicating with each other.

L3 ACLs are used to prevent devices in different VLANs-networks from communicating with each other.

It seems that in your case, you want to permit a list of addresses to communicate with all devices in VLAN 211 (deny the rest) and permit all devices in VLAN 211 to communicate with devices in a list of other networks (and deny the rest).

If this is true, you don't need to have the VLAN ACL.

Are the L3 ACLs working?

HTH,

Dario

Hi Dario,

Since L3 ACLs wasn't working, I tried VLAN ACL. In my post I copied and past the config of L3 ACLs. I extracted that ACL after testing with 6500.

I am not sure why it is not working?. Even after applying it is not blocking any traffic apart from what defined in L3 ACLs.

Please help me to find out the cause.

Thanks,

Siva.

Hi,

I assume your C3750 is the router for this subnet. I mean, the servers are using him as default gateway and the upstream routers use him as next hop to reach the subnet 10.3.211.0/24?

Dario

Yes you are correct. But similar sort of configuration was working in 6500. Is it a bottle neck. Can't I secure the vlan 211 in c3750.

Hi

Can I apply it to the switch port interface where the vlan211 is configured.

It is not working on layer3.

Siva.

I have sorted out the issue. Thanks for clearing my doubt.

Solutions. ACL is correct. Just avoid pinging the gateway.

Review Cisco Networking for a $25 gift card