VLAN ACLs not working

Infuscomus · ‎05-14-2015

My VLAN access lists no longer work. Initially, they did, but now they have no effect.

The setup is on a 3750X and looks like this:

VLAN 300

IP address 10.11.12.1

ip access-group V3S out

ip access-list standard V3S

1 permit 10.11.12.23

2 permit 10.11.12.24

10 deny 10.11.12.33

50 permit any

The logic is that .23 and .24 are admin IP and will always be allowed.

Everyone is by default allowed except when required to be denied (like the case entry 10).

Problem is that the ACL has no effect. .33 is not denied, although matches are shown on V3S. .33 still has full access anywhere,

So what is wrong in here ?

I have tested this with VLAN MAP and it works, but just wondering if the simple method above should of worked too or is it mandatory to use the MAP system on VLANS.

Elliott Willink · ‎05-14-2015

Without knowing how you are testing or what you are trying to access as far as traffic egressing the vlan, what you are trying to achieve here is block traffic on Vlan300 from communicating with anything outside of it - What you want to do is apply your access-list inbound to Vlan300. The one thing that is certain is that any host on Vlan 300, if it wants to communicate outside the vlan, will need to come in to the router on the interface Vlan300.

Flip the access-group to be an access-group V3S in and you should be good to go.

Infuscomus · ‎05-14-2015

Hello Elliott.

It was inbound and I have changed to out outbound exactly because it did not work correctly.

Marshall, I am trying to deny certain IPs to enter the network (the specific VLAN and further on).

I tested both methods: inbound, that in theory should of denied the IPs from going into the VLAN and outbound - letting them into VLAN but not further - both did not work.

As for extended MAC ACLs - I tried that and it does not support line numbering so it prevents me from doing what I want. So if I deny MAC 1, MAC 2 and then permit the rest and later on want to add another MAC I will have to re-write the whole ACL.

P.S. I need those 2 because it is possible to be necessary to deny groups of hosts of all of them (.0 /.255) and device access is currently done through this VLAN so denying all would prevent me from accessing it if the 2 admin IPs are not there at the start of the list.

Jon Marshall · ‎05-14-2015

I don't know whether it will make a difference but I have always used extended acls for this sort of thing.

Try changing your acl to an extended one and then apply inbound and see if it works.

Jon

Infuscomus · ‎05-14-2015

There's nothing else in the cfg that would interfere.

It is the only ACL in it.

Could try extended IP ACL, but does that offer me line numbers or will it act like the MAC extended ?

Jon Marshall · ‎05-14-2015

It should give you the option of line numbers using a named extended acl.

If that doesn't work then there must be something else going on.

Jon

Elliott Willink · ‎05-14-2015

Can you post the whole config? It is a relatively straight-forward ACL so maybe there is something else going on.

Jon Marshall · ‎05-14-2015

Not sure what you are trying to do.

Are you trying to control which IP subnets can be accessed from the 10.11.12.x devices ?

Edit - I agree with Elliott (just seen his post).

Also you don't need permits for the specific hosts if you are permitting any at the end of your acl.

Finally, it is personal preference but I always use extended acls for this kind of thing.

Jon