Scratching my head on VACL config

adrianm68adrianm68 MemberMember Posts: 65 ■■□□□□□□□□
Learning VACL's, and have created an example right out of the Cisco paper. The goal is to deny any IP access to my PC connected to the switch, whilst allowing traffic from all other devices through. The reality is my pc is still surfing the internet. My config is as follows:

Standard IP access list 88 (To let everything else through)
10 permit any

Extended IP access list 189
10 permit ip host 10.10.1.242 any (12 matches) (my PC)

the vlan access-map:

switch1#sh vlan access-map thor
Vlan access-map "thor" 10
Match clauses:
ip address: 189
Action:
drop
Vlan access-map "thor" 20
Match clauses:
ip address: 88
Action:
forward

And have applied this map to vlan 1 where the pc is:

switch1#sh vlan filter
VLAN Map thor is filtering VLANs:
1

According to the VACL paper:

"Each VLAN access map can consist of one or more map sequences; each sequence has a match
clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering and the
action clause specifies the action to be taken when a match occurs. When a flow matches a permit
ACL entry, the associated action is taken and the flow is not checked against the remaining sequences"

Which is typical of ACL lists - the first match we exit. That match above is to drop the packets, and I can see I even have matches on ACL 189, and yet the map/filter is not dropping the packets.

What have I done wrong?

/adrian
2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot

Cisco engineer's command to teach his dog to sit: "no stand"

Comments

  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    Can you paste the show run or configs relevant to VACL that you created. First thing that comes Did you apply it correctly to the vlan?
  • adrianm68adrianm68 Member Member Posts: 65 ■■□□□□□□□□
    dmarcisco wrote: »
    Can you paste the show run or configs relevant to VACL that you created. First thing that comes Did you apply it correctly to the vlan?

    Hi!

    Sure can. Still not got to the bottom of it, although I have shifted a bit to MST in the last 24 hours. It's pretty much what I posted at the outset..

    From sh run, the following relevant bits:

    All the vlan access maps, with the single filter at the bottom, showing which has been applied:

    vlan access-map test1 10
    action forward
    vlan access-map emachines 10
    action forward
    match ip address 133
    vlan access-map newtest 10
    action drop
    match ip address 177
    vlan access-map newtest 20
    action forward
    match ip address 178
    vlan access-map thor 10
    action drop
    match ip address 189
    vlan access-map thor 20
    action forward
    match ip address 88
    vlan access-map thor 30
    action drop
    match ip address 189
    !
    vlan filter thor vlan-list 1

    ...and the access lists:

    access-list 88 permit any
    access-list 100 deny icmp any any
    access-list 100 permit ip any any
    access-list 133 permit tcp host 10.10.1.118 host 10.10.1.112 eq www
    access-list 133 permit tcp host 10.10.1.112 eq www host 10.10.1.118
    access-list 133 permit ip host 10.10.1.112 any
    access-list 133 permit ip any host 10.10.1.112
    access-list 133 permit ip host 10.10.1.118 any
    access-list 133 permit ip any host 10.10.1.118
    access-list 177 permit ip host 10.10.1.242 any
    access-list 178 permit ip any any
    access-list 189 permit ip host 10.10.1.242 any

    Cheers,

    Adrian
    2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot

    Cisco engineer's command to teach his dog to sit: "no stand"
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    Are you sure it is not working? I just quickly labbed this up to verify and what you have does work. I tried the acl's and vl maps and the host 10.10.1.242 could not ping out to anything after I applied your vacl.

    When you say after you lab it out your pc can still access the internet did you configure a physical switch and connected it to your pc? After you applied the vacl it still accessed the internet? Was your wifi card still on?

    These are the configs relevant to your "thor" vacl

    access-list 189 permit ip host 10.10.1.242 any
    access-list 88 permit any


    vlan access-map thor 10
    action drop
    match ip address 189
    vlan access-map thor 20
    action forward
    match ip address 88
    !
    vlan filter thor vlan-list 1
  • adrianm68adrianm68 Member Member Posts: 65 ■■□□□□□□□□
    dmarcisco wrote: »
    Are you sure it is not working? I just quickly labbed this up to verify and what you have does work. I tried the acl's and vl maps and the host 10.10.1.242 could not ping out to anything after I applied your vacl.

    When you say after you lab it out your pc can still access the internet did you configure a physical switch and connected it to your pc? After you applied the vacl it still accessed the internet? Was your wifi card still on?

    These are the configs relevant to your "thor" vacl

    access-list 189 permit ip host 10.10.1.242 any
    access-list 88 permit any


    vlan access-map thor 10
    action drop
    match ip address 189
    vlan access-map thor 20
    action forward
    match ip address 88
    !
    vlan filter thor vlan-list 1

    Apologies for the tardiness, have not had a chance to comment on this until now....

    To answer your questions, here is a bit of background:



    fa0/5 is connected to a laptop, which has wireless disabled:



    I have separated the test into VLAN 10. Following are from the running config:

    interface FastEthernet0/5
    description test3
    switchport access vlan 10
    switchport mode access
    switchport port-security maximum 5
    switchport port-security mac-address sticky
    ip verify source port-security
    end


    Filter:
    !
    vlan filter no_33 vlan-list 10
    !

    Accessmap:

    vlan access-map no_33 10
    action drop
    match ip address 190
    vlan access-map no_33 20
    action forward
    match ip address 88

    ACL:

    access-list 88 permit any
    access-list 190 permit ip host 10.10.1.33 any



    After changing the vlan to 10, I am still seeing the same behaviour - 10.10.1.33 is still able to surf.

    If I add the line to access list 190: 'permit icmp host any any' then this kills icmp from any host in vlan 10

    If I add the line to access list 190: 'permit icmp host 10.10.1.33 any, then 10.10.1.33 is still able to ping. It's almost as if the switch is not recognising 10.10.1.33 as the ip from my laptop host - but from wireshark:




    Its kind of got me stumped. I was thinking that perhaps it might have something to do with the natting going on at the router, but this switch connected to the laptop has no NAT, and it should be killing the frames before they get out of the vlan, right?

    If I think of anything else to test, i'll add it here.
    2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot

    Cisco engineer's command to teach his dog to sit: "no stand"
  • adrianm68adrianm68 Member Member Posts: 65 ■■□□□□□□□□
    When I apply the following ACL:

    Extended IP access list 191
    10 deny icmp host 10.10.1.33 any
    20 permit ip any any (5 matches)

    on the port of fa0/5, then all is golden - the laptop is denied pinging, but can otherwise surf.
    2017 Goals: Cisco: [x]Switch [ ]Route [ ]Tshoot

    Cisco engineer's command to teach his dog to sit: "no stand"
Sign In or Register to comment.