Re: Vlan ACL Issue

snarayanaraju · ‎02-05-2011

Hi Experts,

I request your mind share & help. I am trying to configure VACL in 3750X. The configuration is below:

GOAL:

Block tcp 445 access between host 192.168.16.17 & 192.168.16.18. Whereas both the host should be able to access Internet (80,443,dns) allowed.

PROBLEM:

When i apply VLAN FILTER, all communication is blocked. I am not able to get Internet as well.

When i add permit ip any any in ACL entry ALLOW-INET it is working, but again all traffic is allowed.

CONFIGURATION:

vlan access-map TEST 1
action forward
match ip address ALLOW-INET
vlan access-map TEST 2
action forward
match ip address BLOCK-445

vlan filter TEST vlan-list 16

Extended IP access list ALLOW-INET
    10 permit tcp host 192.168.16.18 any eq www
    30 permit tcp host 192.168.16.18 any eq 443
    40 permit udp host 192.168.16.18 any eq domain
    50 permit tcp host 192.168.16.17 any eq www
    60 permit tcp host 192.168.16.17 any eq 443
    70 permit udp host 192.168.16.17 any eq domain
Extended IP access list BLOCK-445
    20 deny tcp host 192.168.16.17 host 192.168.16.18 eq 445
    30 permit icmp host 192.168.16.17 host 192.168.16.18

Please help me where i am going wrong?

regards,

sathya

snarayanaraju · ‎02-05-2011

hi Friends,

I solved with myself. It is the ACL rule issue only. After established keyword, i am not to achieve the result

thanks

sathya

sashimoy11 · ‎09-14-2011

Hi Sathya,

I am also facing same issue, could u kindly share the configuration file...

Reg

Sashi

shehinpm1 · ‎09-15-2011

HI,

only for blocking 445 port from one ip to another u can simply acheive this by configurign the following,

access-list 100 permit tcp host 192.168.16.17 host 192.168.16.18 eq 445

vlan access-map FILTER445 10

action drop

match ip address 100

vlan access-map FILTER445 20 (to permit everything else)

action forward

vlan filter FILTER445 vlan-list 16