Re: vlan filter not working

jennyjohn · ‎03-30-2010

My objective is to implement inter-vlan filtering on my core switch. I have three vlans 1, 2 and 5 and want to block users in vlan 1 & 2 from accessing vlan 50. Only IP 192.168.1.103 in vlan 1 should be able to access the servers in vlan 5.

interface Vlan1
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
ip address 192.168.2.254 255.255.255.0
!
interface Vlan5
ip address 192.168.5.254 255.255.255.0
!
vlan access-map CCTV_VLAN_TRAFFIC 10
   match ip address BLOCK_TRAFFIC
   action drop
!
vlan access-map CCTV_VLAN_TRAFFIC 20
   match ip address ALLOW_TRAFFIC
   action forward
!

vlan filter CCTV_VLAN_TRAFFIC vlan 5

!

ip access-list extended BLOCK_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
!
ip access-list extended ALLOW_TRAFFIC
permit ip host 192.168.1.103 192.168.5.0 0.0.0.255

I am not able to ping from any PC in vlan 1 & vlan 2 to vlan 5, but I am getting Request timed out and not Destination unreachable. Why?

I am also not able to ping from 192.168.1.103 to any devices on vlan 5. Please help me with my access-list.

Thanks in advance.

Jon Marshall · ‎03-30-2010

jennyjohn wrote:

My objective is to implement inter-vlan filtering on my core switch. I have three vlans 1, 2 and 5 and want to block users in vlan 1 & 2 from accessing vlan 50. Only IP 192.168.1.103 in vlan 1 should be able to access the servers in vlan 5.

interface Vlan1
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
ip address 192.168.2.254 255.255.255.0
!
interface Vlan5
ip address 192.168.5.254 255.255.255.0
!
vlan access-map CCTV_VLAN_TRAFFIC 10
match ip address BLOCK_TRAFFIC
action drop
!

It would be a lot easier to just use standard acls rather than vlan maps which are primarily used to block traffic within a vlan.

access-list 101 permit ip host 192.168.1.103 192.168.5.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 permit ip 192.68.2.0 0.0.0.255 any

int vlan 1

ip access-group 101 in

int vlan 2

ip access-group 102 in

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Ganesh Hariharan · ‎03-30-2010

My objective is to implement inter-vlan filtering on my core switch. I have three vlans 1, 2 and 5 and want to block users in vlan 1 & 2 from accessing vlan 50. Only IP 192.168.1.103 in vlan 1 should be able to access the servers in vlan 5.

interface Vlan1
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
ip address 192.168.2.254 255.255.255.0
!
interface Vlan5
ip address 192.168.5.254 255.255.255.0
!
vlan access-map CCTV_VLAN_TRAFFIC 10
   match ip address BLOCK_TRAFFIC
   action drop
!
vlan access-map CCTV_VLAN_TRAFFIC 20
   match ip address ALLOW_TRAFFIC
   action forward
!

vlan filter CCTV_VLAN_TRAFFIC vlan 5

!

ip access-list extended BLOCK_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
!
ip access-list extended ALLOW_TRAFFIC
permit ip host 192.168.1.103 192.168.5.0 0.0.0.255

I am not able to ping from any PC in vlan 1 & vlan 2 to vlan 5, but I am getting Request timed out and not Destination unreachable. Why?

I am also not able to ping from 192.168.1.103 to any devices on vlan 5. Please help me with my access-list.

Thanks in advance.

Hi,

As suggested Vlan access-maps are best suited when ever you want to block a traffic within a vlan and it will act in a way how the traffic is coming in the vlan,so to better to overcome the issue create two standard acl and apply thos in the in direction of there respective vlan interface.

Check out the below link on vlan access map implementation

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

Cisco will donate $1 to the Red Cross Haiti fund for every rated post!

https://supportforums.cisco.com/docs/DOC-8727

jennyjohn · ‎03-30-2010

Thanks Jon and Ganesh,

I will go for standard acl's, But this example from Cisco

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/secure.html#wp1051936

shows that vlan access-maps can be used between vlans. Any idea why it does not work?

Thanks

Giuseppe Larosa · ‎03-30-2010

Hello Jenny,

being the VACL applied to broadcast domain vlan 5, all your IP acls that are referenced by your VACL should be written using 192.168.5.x as source and not as destination.

if you look at the example in the configuration guide you have linked, they use the point of view of vlan10 the vlan where the VACL of their example is applied.

I agree with Jon and Ganesh that simple router ACLs applied to SVI Vlan5 (L3 object) or the other SVI Vlan1 and Vlan2 are easier to understand.

Hope to help

Giuseppe

Ganesh Hariharan · ‎03-30-2010

Thanks Jon and Ganesh,

I will go for standard acl's, But this example from Cisco

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/secure.html#wp1051936

shows that vlan access-maps can be used between vlans. Any idea why it does not work?

Thanks

Hi,

With the original configuration of vlan access-map what i feel is the second permit statement is coming as second sequence number in vlan access-map and the first stament is drop for thw whole subnet and the ip which is been permitted is coming in second statement,so if first statement get matched next sequnce will not happen.so if you make the second statement as the first sequence number then your vlan access map should work.

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

Cisco will donate $1 to the Red Cross Haiti fund for every useful rated post!
https://supportforums.cisco.com/docs/DOC-8727