Re: Issues With VACLs

On 4/28/12 11:55 AM, "rufai michael" <michaelolusegunrufai_at_gmail.com>
wrote:

>Hi all, i am trying to prevent host 10.1.40.1 vlan 40 from accessing any
>other host in vlan 40;
>
>here's my config:-
>
>ip access-lists extended 10.1.40.1
>
>permit ip host 10.1.40.1 any
>
>vlan access-map TEST 10
>
>match ip add 10.1.40.1
>
>action drop
>
>vlan access-map TEST 20
>
>action forward
>
>vlan filter TEST vlan-list 40
>working on a 3560 but anytime i paste this command it seems not be
>working,
>is there anything i am missing?

Your logic seems sound. I'm working on a 3560 as well, and followed your
logic for a lab I was in the middle of

Pre-application:

RSRack7SW3#ping 128.7.109.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.7.109.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Configuration:

RSRack7SW2(config)#ip access-list extended VACL
RSRack7SW2(config-ext-nacl)#permit ip host 128.7.109.9 any
RSRack7SW2(config-ext-nacl)#vlan access-map TEST
RSRack7SW2(config-access-map)#match ip address VACL
RSRack7SW2(config-access-map)#action drop
RSRack7SW2(config-access-map)#vlan access-map TEST 20
RSRack7SW2(config-access-map)#action forward
RSRack7SW2(config-access-map)#exit
RSRack7SW2(config)#vlan filter TEST vlan-list 109

Post application test:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.7.109.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Removal of filter list and re-test:

RSRack7SW2(config)#no vlan filter TEST vlan-list 109

RSRack7SW3#ping 128.7.109.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.7.109.10, timeout is 2 seconds:
!!!!!

So I would guess you likely have a typo in your configuration somewhere.

>
>Q2. also want to do inter-vlan filter, i.e host 10.1.40.1 should not be
>able to access a server in 10.1.50.1 in vlan 50.
>
>->will the config be done as close to the destination i.e the switch which
>the vlan 50 or the server is located or it doesnt really matter, because
>in
>my network i have alots of switches on each floor in building segmented on
>each floor in different vlans

For traffic that I know I'm going to drop, I prefer to do it as close to
the source as possible, no reason to have packets that I'm going to kick
to the bit bucket transit the links unless it has to.

However, depending on the scale of the network, I may decide to drop it
later, just to maintain consistency. Ie, in a very large network, I would
standardize my choke points and drop traffic at a consistent point so that
if there's ever a question, I don't have to remember, or other folks don't
have to waste time figuring out that I decided to go apply a VACL to an
access switch instead of just dropping it at the router.

Blogs and organic groups at http://www.ccie.net
Received on Sun Apr 29 2012 - 01:30:55 ART