Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor I

VACL filtering within same VLAN

Hi,

 

I have a couple of 2930F switches and I need to block traffic between users on the same subnet (same VLAN 223, tagged).

 

I am using this config:

 

ip access-list extended CLIENT_ISOLATE_ACL
   10 permit ip 0.0.0.0 255.255.255.255 192.168.208.1 0.0.0.0
   20 deny ip 192.168.208.0 0.0.15.255 192.168.208.0 0.0.15.255
   30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

vlan 223
ip access-group "CLIENT_ISOLATE_ACL" vlan-in

 

In the show statistics aclv4 there are some hits for the rule 20 but still all tests show that the traffic between users is permitted (pings are working).

 

What's wrong?

Super Contributor I

Re: VACL filtering within same VLAN

Have you applied this ACL at all switches? Because this is a L2 ACL you need to assign this ACL to all switches even of there is no routing add that switch. The ACL looks fine.

Also the first rule is not needed because 208.1 is not the destination I suppose. It’s just the gateway.

Please keep in mine that this is a IP filter. So broadcast traffic and other traffic like IPv6 and even other subnets are still allowed. If you want that also be filtered you need to use MAC based filtering/ACL or take a look into the Aruba dynamic segmentation solution.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor I

Re: VACL filtering within same VLAN

Hi,

 

Yes, I applied the ACL to all switches. And the filtering doesn't work even for 2 hosts connected to the same switch.

I permitted the GW explicitly just for testing.

Super Contributor I

Re: VACL filtering within same VLAN

Looks like a bug. Have you tried this with the latest firmware?
Please could you try to filter all the ICMP traffic for any IP address? I'm curious if that is working.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
MVP Expert

Re: VACL filtering within same VLAN

for your config, it is assigned to vlan interface...




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Occasional Contributor I

Re: VACL filtering within same VLAN

Are you sure?

 

There is no SVI (IP address) for VLAN 223 at all. And still counters for Deny ACE are increasing.

Also I thought that "vlan-in" keyword is to apply ACL to the VLAN (VACL) and "in" is for SVI.

Occasional Contributor I

Re: VACL filtering within same VLAN

I have double checked everything onsite.

The correct syntax for VACL is "vlan-in", so that was not an issue.

 

In fact VACL works in most scenarios.

But it does not work properly when clients are connected to the same switch port (wireless clients connected to the same AP). In that case the switch sometimes blocks the traffic but less than 1%. And this occasional blocking was confusing.

So in general VACL doesn't help in this case. VLAN "isolate-list" neither.

Super Contributor I

Re: VACL filtering within same VLAN

Yes, that is true. The VACL will only work for traffic that is hitting the switch.
If you are using IAP's you can create a ACL at the IAP to filter this traffic.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: