02-04-2009 11:56 AM - edited 03-06-2019 03:51 AM
I am trying to kill off some NETBIOS traffic within a VLAN with a VLAN filter map so it dosn't keep filling up my logs when it fails against the inbound ACL on the VLAN interface but it is not working as I expect it to (and my other VLAN filter maps are).
I am working with VLAN 4, so I have:
interface Vlan4
description Console and Management Traffic
ip address 172.17.0.97 255.255.255.224
ip access-group Console_NetIn in
ip access-group Console_NetOut out
end
My IP Access-list:
Extended IP access list NetBiosMap
10 permit udp host 172.17.0.98 host 172.17.0.127 range 127 128
20 permit udp host 172.17.0.98 eq 127 any
30 permit udp host 172.17.0.98 eq 128 any
My Vlan Access-map:
vlan access-map Filter_VL4 10
action drop
match ip address NetBiosMap
vlan access-map Filter_VL4 20
action forward
Applied:
vlan filter Filter_VL4 vlan-list 4
Verify:
VLAN Map Filter_VL4 is filtering VLANs:
4
--------------- but -----------
I keep getting:
Feb 4 13:56:34: %SEC-6-IPACCESSLOGP: list Console_NetIn denied udp 172.17.0.98(138) -> 172.17.0.127(138), 1 packet
ARGH! Help?
02-04-2009 12:14 PM
Hello Bill,
try tp write it in opposite order using an acl that denies the traffic you want to stop used in the first action forward block.
the first acl denies traffic and then permits all the other traffic with action forward
so you can use a single block
see
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348')">http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348')">http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348')">http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1075348
Hope to help
Giuseppe
02-04-2009 12:42 PM
I think that that is what I have already done ... it is very similar to this: http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_46_se/configuration/guide/swacl.html#wp1082532
vlan access-map Filter_VL4 10
action drop
match ip address NetBiosMap
vlan access-map Filter_VL4 20
action forward
My first access-map statement matches the traffic I want to drop, the second access-map statement passes everything else.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide