Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

VACL filtering within same VLAN

This thread has been viewed 9 times
  • 1.  VACL filtering within same VLAN

    Posted Apr 17, 2019 07:27 AM

    Hi,

     

    I have a couple of 2930F switches and I need to block traffic between users on the same subnet (same VLAN 223, tagged).

     

    I am using this config:

     

    ip access-list extended CLIENT_ISOLATE_ACL
       10 permit ip 0.0.0.0 255.255.255.255 192.168.208.1 0.0.0.0
       20 deny ip 192.168.208.0 0.0.15.255 192.168.208.0 0.0.15.255
       30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

    vlan 223
    ip access-group "CLIENT_ISOLATE_ACL" vlan-in

     

    In the show statistics aclv4 there are some hits for the rule 20 but still all tests show that the traffic between users is permitted (pings are working).

     

    What's wrong?



  • 2.  RE: VACL filtering within same VLAN

    Posted Apr 17, 2019 03:36 PM
    Have you applied this ACL at all switches? Because this is a L2 ACL you need to assign this ACL to all switches even of there is no routing add that switch. The ACL looks fine.

    Also the first rule is not needed because 208.1 is not the destination I suppose. It’s just the gateway.

    Please keep in mine that this is a IP filter. So broadcast traffic and other traffic like IPv6 and even other subnets are still allowed. If you want that also be filtered you need to use MAC based filtering/ACL or take a look into the Aruba dynamic segmentation solution.


  • 3.  RE: VACL filtering within same VLAN

    Posted Apr 18, 2019 02:50 AM

    Hi,

     

    Yes, I applied the ACL to all switches. And the filtering doesn't work even for 2 hosts connected to the same switch.

    I permitted the GW explicitly just for testing.



  • 4.  RE: VACL filtering within same VLAN

    Posted Apr 18, 2019 07:19 AM
    Looks like a bug. Have you tried this with the latest firmware?
    Please could you try to filter all the ICMP traffic for any IP address? I'm curious if that is working.


  • 5.  RE: VACL filtering within same VLAN

    MVP GURU
    Posted Apr 18, 2019 05:23 PM

    for your config, it is assigned to vlan interface...



  • 6.  RE: VACL filtering within same VLAN

    Posted Apr 19, 2019 03:12 AM

    Are you sure?

     

    There is no SVI (IP address) for VLAN 223 at all. And still counters for Deny ACE are increasing.

    Also I thought that "vlan-in" keyword is to apply ACL to the VLAN (VACL) and "in" is for SVI.



  • 7.  RE: VACL filtering within same VLAN
    Best Answer

    Posted Apr 24, 2019 04:39 AM

    I have double checked everything onsite.

    The correct syntax for VACL is "vlan-in", so that was not an issue.

     

    In fact VACL works in most scenarios.

    But it does not work properly when clients are connected to the same switch port (wireless clients connected to the same AP). In that case the switch sometimes blocks the traffic but less than 1%. And this occasional blocking was confusing.

    So in general VACL doesn't help in this case. VLAN "isolate-list" neither.



  • 8.  RE: VACL filtering within same VLAN

    Posted Apr 24, 2019 05:27 AM
    Yes, that is true. The VACL will only work for traffic that is hitting the switch.
    If you are using IAP's you can create a ACL at the IAP to filter this traffic.