Vlan Maps

[loyalist]

Hello,

I have a CAT 3550 with the following standard IOS, Version 12.1(12c)EA1 and I am attempting to restrict the traffic into one vlan via a vlan map. I have to use vlan maps instead of access lists because we have the standard ios instead of enhanced (which would permit access lists on vlans). Seems straight forward enough however when I apply the following map I end up blocking all traffic to the subnet instead of just the ones I want to restrict:

ip access-list extended dev_server
permit ip 10.100.25.0 0.0.0.255 10.100.125.0 0.0.0.255
permit ip 10.100.50.0 0.0.0.255 10.100.125.0 0.0.0.255
permit ip 10.100.75.0 0.0.0.255 10.100.125.0 0.0.0.255

vlan access-map map_1 10
match ip address dev_server
action drop

vlan filter map_1 vlan-list 125

I have 5 vlans, 25,50,75,100,and 125. I only want traffic from vlan 100 to be able to reach vlan 125 and want all others dropped when they attempt to get to vlan 125. Right now this isn't happening and I am blocking all traffic when I apply it. Does anyone see something wrong with this config, am I missing something simple?

Thanks in advance,

Loyalist

 

[Dimonet]

Loyalist,

Cisco makes this a little tricky and they trick you into thinking that your switch can perform layer 3 functions when it really can't. Just from looking at your config the first thing that I notice is that you are listing ip subnets.

Remember a switch is a layer 2 device. It doesn't care about IP addresses. So putting that in your config won't make any difference because the switch doesn't care. That is why it is just discarding everything.

You should really be doing this at layer 3 on the router. That is the easiest way to accomplish what you are trying to get done. If you have VLANS you must have a router breaking them up. So on the ROUTER do your access lists. Simply state that the only ip you want allowed to vlan 125 is vlan 100 and you are golden.

I hope this helps you out!

Regards,
Dimo

***On another note. one thing you might consider which is not a restriction but improves performance at the switch level is VTP pruning. This make the switch discard advertisements from other vlans unless it is specifically directed at a device on a vlan. This is more a tip that directly addressing your qeustion.

 

[loyalist]

Thanks Dimo, however the 3550 is a layer 2/3 switch and is capable of moving layer 3 traffic, I am currently using it as a router and a switch combined. I have it connected to my pix and I am routing traffic through different interfaces. The only thing preventing me from using access lists on the vlans is that I have the standard instead of the enhanced ios. I agree with what you are saying about layer 2 switching and being unable to block traffic, however this can "supposedly" be done with the vlan maps as per the cisco documentation on the 3550:

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080115935.html

I have followed their guidelines, however like I said, I end up blocking all traffic instead of only the specified subnets. Just wondering if anyone out there has run into this problem as well, or if there is something different that has to be done other than what cisco reccommends.

 

[loyalist]

Tried a different access list specifying hosts insteads of vlans and had same result, blocked all traffic, has anyone out there used vlan maps before? Note, vlan 100 is not included in the access list as they are the only ones who I want to access this subnet/vlan and yet they are being blocked as well.

ip access-list extended devser_test
permit ip 10.100.25.0 0.0.0.255 host 10.100.125.10
permit ip 10.100.25.0 0.0.0.255 host 10.100.125.11
permit ip 10.100.50.0 0.0.0.255 host 10.100.125.10
permit ip 10.100.50.0 0.0.0.255 host 10.100.125.11
permit ip 10.100.75.0 0.0.0.255 host 10.100.125.10
permit ip 10.100.75.0 0.0.0.255 host 10.100.125.11


vlan access-map map_devser
match ip address devser_test
action drop


vlan filter map_devser vlan-list 125

 

[pplewis]

Perhaps I've misunderstood something here, but you have "action drop" configured, so it will block the traffic?

 

[loyalist]

not so much to "block" the traffic but drop any traffic coming from those subnets into those hosts or subnet and forward all other traffic into the subnet. According to cisco this is supposed to work.

 

[bierhunter]

"not so much to "block" the traffic but drop any traffic coming from those subnets into those hosts or subnet and forward all other traffic into the subnet. According to cisco this is supposed to work."

Ah...this gets me thinking. Now...I haven't used vlan maps before, but.. I do know that access-lists have an implied "deny all"; so I am going to assume that we are dealing with the same thing here. Please check with Cisco to verify.

So, I'm thinking your access-list (vlan map) is dropping the subnets you specify. If that is the case, then we need to permit the vlan 100 to pass.

Now, in a normal access-list environment, you would just say
permit ip any any

But...you are doing an action drop. Is there another option for the "action" command? I don't have access to a layer-3 switch, so I can't test my theory.

For example, can you do an "action permit" or something like that? If so, perhaps you can only permit what you want to pass (like vlan 100) and the access-list will automatically drop everything else).

Just a thought. I wish I could test this idea, but again...I don't have access to a layer-3 switch, so my idea may be way off.

 

[BuckWeet]

ya know, if you have a CCO account, you can download the EMI software and put it on that box. It works, but dont' call cisco for support.


BuckWeet

 

[loyalist]

Sorry guys, have been so busy forgot about this posting...

The only two options for the vlan map statement are drop and forward.

I still have not resolved this issue however I will attempt bierhunters suggestion and forward only the traffic I want to permit and see if that works.

Loyalist