Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
1
Replies

VLAN Filtering

andrewdours
Level 1
Level 1

‎11-05-2012 11:31 AM - edited ‎03-07-2019 09:52 AM

I've done a few route maps before and the logic is pretty much the same.  I just can't figure this one out.

It's probably not the best solution, but it is what I have to work with.  I would like to configure a guest vlan on our network and only allow access for DHCP, DNS, and Web.  I'm attempting to use a VLAN filter along with a L3 ACL on the L3 VLAN.  My L3 ACL seems to work fine.  I've been able to block access to the other internal subnets.  I would like users of this subnet to be able to ping the gateway and to traceroute to the Internet.  I'm not sure why I care, but I would also like to block all communication from user to user within the same guest vlan.  I've created the following ACL and VLAN access-map, but I'm still able to ping hosts on the same guest network and am also able to open a share on another host. 

I'm intentionally not matching the deny statements since the action is to drop.  Then, I want to drop the permit statements.  With this configuration, I can pull DHCP, DNS, and surf the web.  I have tested this functionality by adjusting those rules back to permit.  When I do that it breaks DHCP, DNS, and web.  The only piece that is not working is to block communication between hosts on the same guest vlan.  Any ideas?         

vlan access-map map982 10

action drop

match ip address acl982

vlan access-map map982 20

action forward

match ip address aclMatchAll

     

vlan filter map982 vlan-list 982

ip access-list extended acl982

deny   icmp any host 10.98.207.1 unreachable

deny   icmp any host 10.98.207.1 time-exceeded

deny   icmp any host 10.98.207.1 echo-reply

deny   icmp any host 10.98.207.1 echo

deny   icmp host 10.98.207.1 any echo

deny   icmp host 10.98.207.1 any echo-reply

deny   icmp host 10.98.207.1 any time-exceeded

deny   icmp host 10.98.207.1 any unreachable

deny   udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

deny   udp host 10.98.207.1 eq bootps any eq bootpc

deny   udp 10.98.207.0 0.0.0.255 host 10.0.0.1 eq domain

permit ip 10.98.207.0 0.0.0.255 10.98.207.0 0.0.0.255

permit ip 10.98.207.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 10.98.207.0 0.0.0.255 172.16.0.0 0.15.255.255

permit ip 10.98.207.0 0.0.0.255 192.168.0.0 0.0.255.255

Thanks all.

Labels:
0 Helpful
1 Reply 1

PowerBarry43
Level 1
Level 1

‎11-06-2012 06:39 AM

Hi I'm a little rusty on ACLs but my understanding was that you normally need an implicit deny ip any at the bottom of the ACL. sorry if this suggestion is a silly one

Hope this helps!

Barry

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card