Scratching my head on VACL config
Learning VACL's, and have created an example right out of the Cisco paper. The goal is to deny any IP access to my PC connected to the switch, whilst allowing traffic from all other devices through. The reality is my pc is still surfing the internet. My config is as follows:
Standard IP access list 88 (To let everything else through)
10 permit any
Extended IP access list 189
10 permit ip host 10.10.1.242 any (12 matches) (my PC)
the vlan access-map:
switch1#sh vlan access-map thor
Vlan access-map "thor" 10
Match clauses:
ip address: 189
Action:
drop
Vlan access-map "thor" 20
Match clauses:
ip address: 88
Action:
forward
And have applied this map to vlan 1 where the pc is:
switch1#sh vlan filter
VLAN Map thor is filtering VLANs:
1
According to the VACL paper:
"Each VLAN access map can consist of one or more map sequences; each sequence has a match
clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering and the
action clause specifies the action to be taken when a match occurs. When a flow matches a permit
ACL entry, the associated action is taken and the flow is not checked against the remaining sequences"
Which is typical of ACL lists - the first match we exit. That match above is to drop the packets, and I can see I even have matches on ACL 189, and yet the map/filter is not dropping the packets.
What have I done wrong?
/adrian
Standard IP access list 88 (To let everything else through)
10 permit any
Extended IP access list 189
10 permit ip host 10.10.1.242 any (12 matches) (my PC)
the vlan access-map:
switch1#sh vlan access-map thor
Vlan access-map "thor" 10
Match clauses:
ip address: 189
Action:
drop
Vlan access-map "thor" 20
Match clauses:
ip address: 88
Action:
forward
And have applied this map to vlan 1 where the pc is:
switch1#sh vlan filter
VLAN Map thor is filtering VLANs:
1
According to the VACL paper:
"Each VLAN access map can consist of one or more map sequences; each sequence has a match
clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering and the
action clause specifies the action to be taken when a match occurs. When a flow matches a permit
ACL entry, the associated action is taken and the flow is not checked against the remaining sequences"
Which is typical of ACL lists - the first match we exit. That match above is to drop the packets, and I can see I even have matches on ACL 189, and yet the map/filter is not dropping the packets.
What have I done wrong?
/adrian
2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot
Cisco engineer's command to teach his dog to sit: "no stand"
Cisco engineer's command to teach his dog to sit: "no stand"
Comments
-
Legacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□Can you paste the show run or configs relevant to VACL that you created. First thing that comes Did you apply it correctly to the vlan?
-
adrianm68 Member Posts: 65 ■■□□□□□□□□Can you paste the show run or configs relevant to VACL that you created. First thing that comes Did you apply it correctly to the vlan?
Hi!
Sure can. Still not got to the bottom of it, although I have shifted a bit to MST in the last 24 hours. It's pretty much what I posted at the outset..
From sh run, the following relevant bits:
All the vlan access maps, with the single filter at the bottom, showing which has been applied:
vlan access-map test1 10
action forward
vlan access-map emachines 10
action forward
match ip address 133
vlan access-map newtest 10
action drop
match ip address 177
vlan access-map newtest 20
action forward
match ip address 178
vlan access-map thor 10
action drop
match ip address 189
vlan access-map thor 20
action forward
match ip address 88
vlan access-map thor 30
action drop
match ip address 189
!
vlan filter thor vlan-list 1
...and the access lists:
access-list 88 permit any
access-list 100 deny icmp any any
access-list 100 permit ip any any
access-list 133 permit tcp host 10.10.1.118 host 10.10.1.112 eq www
access-list 133 permit tcp host 10.10.1.112 eq www host 10.10.1.118
access-list 133 permit ip host 10.10.1.112 any
access-list 133 permit ip any host 10.10.1.112
access-list 133 permit ip host 10.10.1.118 any
access-list 133 permit ip any host 10.10.1.118
access-list 177 permit ip host 10.10.1.242 any
access-list 178 permit ip any any
access-list 189 permit ip host 10.10.1.242 any
Cheers,
Adrian2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot
Cisco engineer's command to teach his dog to sit: "no stand" -
Legacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□Are you sure it is not working? I just quickly labbed this up to verify and what you have does work. I tried the acl's and vl maps and the host 10.10.1.242 could not ping out to anything after I applied your vacl.
When you say after you lab it out your pc can still access the internet did you configure a physical switch and connected it to your pc? After you applied the vacl it still accessed the internet? Was your wifi card still on?
These are the configs relevant to your "thor" vacl
access-list 189 permit ip host 10.10.1.242 any
access-list 88 permit any
vlan access-map thor 10
action drop
match ip address 189
vlan access-map thor 20
action forward
match ip address 88
!
vlan filter thor vlan-list 1 -
adrianm68 Member Posts: 65 ■■□□□□□□□□Are you sure it is not working? I just quickly labbed this up to verify and what you have does work. I tried the acl's and vl maps and the host 10.10.1.242 could not ping out to anything after I applied your vacl.
When you say after you lab it out your pc can still access the internet did you configure a physical switch and connected it to your pc? After you applied the vacl it still accessed the internet? Was your wifi card still on?
These are the configs relevant to your "thor" vacl
access-list 189 permit ip host 10.10.1.242 any
access-list 88 permit any
vlan access-map thor 10
action drop
match ip address 189
vlan access-map thor 20
action forward
match ip address 88
!
vlan filter thor vlan-list 1
Apologies for the tardiness, have not had a chance to comment on this until now....
To answer your questions, here is a bit of background:
fa0/5 is connected to a laptop, which has wireless disabled:
I have separated the test into VLAN 10. Following are from the running config:
interface FastEthernet0/5
description test3
switchport access vlan 10
switchport mode access
switchport port-security maximum 5
switchport port-security mac-address sticky
ip verify source port-security
end
Filter:
!
vlan filter no_33 vlan-list 10
!
Accessmap:
vlan access-map no_33 10
action drop
match ip address 190
vlan access-map no_33 20
action forward
match ip address 88
ACL:
access-list 88 permit any
access-list 190 permit ip host 10.10.1.33 any
After changing the vlan to 10, I am still seeing the same behaviour - 10.10.1.33 is still able to surf.
If I add the line to access list 190: 'permit icmp host any any' then this kills icmp from any host in vlan 10
If I add the line to access list 190: 'permit icmp host 10.10.1.33 any, then 10.10.1.33 is still able to ping. It's almost as if the switch is not recognising 10.10.1.33 as the ip from my laptop host - but from wireshark:
Its kind of got me stumped. I was thinking that perhaps it might have something to do with the natting going on at the router, but this switch connected to the laptop has no NAT, and it should be killing the frames before they get out of the vlan, right?
If I think of anything else to test, i'll add it here.2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot
Cisco engineer's command to teach his dog to sit: "no stand" -
adrianm68 Member Posts: 65 ■■□□□□□□□□When I apply the following ACL:
Extended IP access list 191
10 deny icmp host 10.10.1.33 any
20 permit ip any any (5 matches)
on the port of fa0/5, then all is golden - the laptop is denied pinging, but can otherwise surf.2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot
Cisco engineer's command to teach his dog to sit: "no stand"