+ Reply to Thread
Results 1 to 6 of 6
  1. Member
    Join Date
    Jul 2016
    Posts
    65

    Certifications
    CCNA R&S CompTIA A+
    #1

    Default Scratching my head on VACL config

    Learning VACL's, and have created an example right out of the Cisco paper. The goal is to deny any IP access to my PC connected to the switch, whilst allowing traffic from all other devices through. The reality is my pc is still surfing the internet. My config is as follows:

    Standard IP access list 88 (To let everything else through)
    10 permit any

    Extended IP access list 189
    10 permit ip host 10.10.1.242 any (12 matches) (my PC)

    the vlan access-map:

    switch1#sh vlan access-map thor
    Vlan access-map "thor" 10
    Match clauses:
    ip address: 189
    Action:
    drop
    Vlan access-map "thor" 20
    Match clauses:
    ip address: 88
    Action:
    forward

    And have applied this map to vlan 1 where the pc is:

    switch1#sh vlan filter
    VLAN Map thor is filtering VLANs:
    1

    According to the VACL paper:

    "Each VLAN access map can consist of one or more map sequences; each sequence has a match
    clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering and the
    action clause specifies the action to be taken when a match occurs. When a flow matches a permit
    ACL entry, the associated action is taken and the flow is not checked against the remaining sequences"

    Which is typical of ACL lists - the first match we exit. That match above is to drop the packets, and I can see I even have matches on ACL 189, and yet the map/filter is not dropping the packets.

    What have I done wrong?

    /adrian
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jan 2012
    Posts
    1,247

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #2
    Can you paste the show run or configs relevant to VACL that you created. First thing that comes Did you apply it correctly to the vlan?
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  4. Member
    Join Date
    Jul 2016
    Posts
    65

    Certifications
    CCNA R&S CompTIA A+
    #3
    Quote Originally Posted by dmarcisco View Post
    Can you paste the show run or configs relevant to VACL that you created. First thing that comes Did you apply it correctly to the vlan?
    Hi!

    Sure can. Still not got to the bottom of it, although I have shifted a bit to MST in the last 24 hours. It's pretty much what I posted at the outset..

    From sh run, the following relevant bits:

    All the vlan access maps, with the single filter at the bottom, showing which has been applied:

    vlan access-map test1 10
    action forward
    vlan access-map emachines 10
    action forward
    match ip address 133
    vlan access-map newtest 10
    action drop
    match ip address 177
    vlan access-map newtest 20
    action forward
    match ip address 178
    vlan access-map thor 10
    action drop
    match ip address 189
    vlan access-map thor 20
    action forward
    match ip address 88
    vlan access-map thor 30
    action drop
    match ip address 189
    !
    vlan filter thor vlan-list 1

    ...and the access lists:

    access-list 88 permit any
    access-list 100 deny icmp any any
    access-list 100 permit ip any any
    access-list 133 permit tcp host 10.10.1.118 host 10.10.1.112 eq www
    access-list 133 permit tcp host 10.10.1.112 eq www host 10.10.1.118
    access-list 133 permit ip host 10.10.1.112 any
    access-list 133 permit ip any host 10.10.1.112
    access-list 133 permit ip host 10.10.1.118 any
    access-list 133 permit ip any host 10.10.1.118
    access-list 177 permit ip host 10.10.1.242 any
    access-list 178 permit ip any any
    access-list 189 permit ip host 10.10.1.242 any

    Cheers,

    Adrian
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2012
    Posts
    1,247

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #4
    Are you sure it is not working? I just quickly labbed this up to verify and what you have does work. I tried the acl's and vl maps and the host 10.10.1.242 could not ping out to anything after I applied your vacl.

    When you say after you lab it out your pc can still access the internet did you configure a physical switch and connected it to your pc? After you applied the vacl it still accessed the internet? Was your wifi card still on?

    These are the configs relevant to your "thor" vacl

    access-list 189 permit ip host 10.10.1.242 any
    access-list 88 permit any


    vlan access-map thor 10
    action drop
    match ip address 189
    vlan access-map thor 20
    action forward
    match ip address 88
    !
    vlan filter thor vlan-list 1
    Last edited by dmarcisco; 06-02-2017 at 04:08 AM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  6. Member
    Join Date
    Jul 2016
    Posts
    65

    Certifications
    CCNA R&S CompTIA A+
    #5
    Quote Originally Posted by dmarcisco View Post
    Are you sure it is not working? I just quickly labbed this up to verify and what you have does work. I tried the acl's and vl maps and the host 10.10.1.242 could not ping out to anything after I applied your vacl.

    When you say after you lab it out your pc can still access the internet did you configure a physical switch and connected it to your pc? After you applied the vacl it still accessed the internet? Was your wifi card still on?

    These are the configs relevant to your "thor" vacl

    access-list 189 permit ip host 10.10.1.242 any
    access-list 88 permit any


    vlan access-map thor 10
    action drop
    match ip address 189
    vlan access-map thor 20
    action forward
    match ip address 88
    !
    vlan filter thor vlan-list 1
    Apologies for the tardiness, have not had a chance to comment on this until now....

    To answer your questions, here is a bit of background:



    fa0/5 is connected to a laptop, which has wireless disabled:

    image.png

    I have separated the test into VLAN 10. Following are from the running config:

    interface FastEthernet0/5
    description test3
    switchport access vlan 10
    switchport mode access
    switchport port-security maximum 5
    switchport port-security mac-address sticky
    ip verify source port-security
    end


    Filter:
    !
    vlan filter no_33 vlan-list 10
    !

    Accessmap:

    vlan access-map no_33 10
    action drop
    match ip address 190
    vlan access-map no_33 20
    action forward
    match ip address 88

    ACL:

    access-list 88 permit any
    access-list 190 permit ip host 10.10.1.33 any



    After changing the vlan to 10, I am still seeing the same behaviour - 10.10.1.33 is still able to surf.

    If I add the line to access list 190: 'permit icmp host any any' then this kills icmp from any host in vlan 10

    If I add the line to access list 190: 'permit icmp host 10.10.1.33 any, then 10.10.1.33 is still able to ping. It's almost as if the switch is not recognising 10.10.1.33 as the ip from my laptop host - but from wireshark:

    unnamed.jpg


    Its kind of got me stumped. I was thinking that perhaps it might have something to do with the natting going on at the router, but this switch connected to the laptop has no NAT, and it should be killing the frames before they get out of the vlan, right?

    If I think of anything else to test, i'll add it here.
    Reply With Quote Quote  

  7. Member
    Join Date
    Jul 2016
    Posts
    65

    Certifications
    CCNA R&S CompTIA A+
    #6
    When I apply the following ACL:

    Extended IP access list 191
    10 deny icmp host 10.10.1.33 any
    20 permit ip any any (5 matches)

    on the port of fa0/5, then all is golden - the laptop is denied pinging, but can otherwise surf.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks