imalc3142
asked on
cisco 3850 VLAN Access-Lists not working
I have a Cisco 3850 layer 3 switch. I am trying allow our guest VLAN (VLAN 30) access to the Internet only. I configured an access list and applied it to my VLAN 30 interface and it does not work.
I am running software version 03.06.00E with an IP Services license.
I have have searched the internet and can't find what is not working. This is a stand alone switch. What am I doing wrong?
My config:
SW-SR-3850#sh run
Building configuration...
Current configuration : 5982 bytes
!
! Last configuration change at 13:23:24 UTC Sat Oct 25 2014 by avccnet
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname SW-SR-3850
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxx xxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
no aaa new-model
switch 1 provision ws-c3850-24t
!
!
!
!
!
ip routing
!
!
!
ip device tracking probe delay 10
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-2055912798
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-20559 12798
revocation-check none
rsakeypair TP-self-signed-2055912798
!
!
crypto pki certificate chain TP-self-signed-2055912798
certificate self-signed 01
<removed>
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
ip tftp blocksize 8192
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport mode trunk
!
interface GigabitEthernet1/0/3
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport mode trunk
!
interface GigabitEthernet1/0/9
switchport mode trunk
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport access vlan 190
!
interface GigabitEthernet1/0/24
no switchport
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
ip address 192.168.15.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.190.71
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 130 in
!
interface Vlan190
ip address 192.168.190.1 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
logging host 192.168.190.30
access-list 130 remark Guest VLAN
access-list 130 remark Deny Guest Access to other VLANs
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.190.0 0.0.0.255 log
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 log
access-list 130 remark Permit Guest Access to everywhere else
access-list 130 permit ip 192.168.30.0 0.0.0.255 any
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end
Thanks for your help,
I am running software version 03.06.00E with an IP Services license.
I have have searched the internet and can't find what is not working. This is a stand alone switch. What am I doing wrong?
My config:
SW-SR-3850#sh run
Building configuration...
Current configuration : 5982 bytes
!
! Last configuration change at 13:23:24 UTC Sat Oct 25 2014 by avccnet
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname SW-SR-3850
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
no aaa new-model
switch 1 provision ws-c3850-24t
!
!
!
!
!
ip routing
!
!
!
ip device tracking probe delay 10
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-2055912798
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2055912798
!
!
crypto pki certificate chain TP-self-signed-2055912798
certificate self-signed 01
<removed>
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
ip tftp blocksize 8192
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport mode trunk
!
interface GigabitEthernet1/0/3
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport mode trunk
!
interface GigabitEthernet1/0/9
switchport mode trunk
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport access vlan 190
!
interface GigabitEthernet1/0/24
no switchport
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
ip address 192.168.15.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.190.71
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 130 in
!
interface Vlan190
ip address 192.168.190.1 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
logging host 192.168.190.30
access-list 130 remark Guest VLAN
access-list 130 remark Deny Guest Access to other VLANs
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.190.0 0.0.0.255 log
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 log
access-list 130 remark Permit Guest Access to everywhere else
access-list 130 permit ip 192.168.30.0 0.0.0.255 any
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end
Thanks for your help,
ASKER
Thanks for your answer, but that did not work. I am still able to ping through to the internal VLAN's.
Any other suggestions?
Any other suggestions?
replace the statement in your acl
you may be better off with the following
ip access-list extended 130
permit tcp any any eq 443
permit tcp any any eq 80
An implicit deny will capture anything else but you can still add the line below if you choose
deny ip any any
What is the gateway address for the guest wireless lan
is it 192.168.30.1?
http://orbit-computer-solutions.com/Access-Control-Lists--ACL-.php
you may be better off with the following
ip access-list extended 130
permit tcp any any eq 443
permit tcp any any eq 80
An implicit deny will capture anything else but you can still add the line below if you choose
deny ip any any
What is the gateway address for the guest wireless lan
is it 192.168.30.1?
http://orbit-computer-solutions.com/Access-Control-Lists--ACL-.php
You should keep this simple
forbid all private IP addresses (if you ever add another VLAN in any private ip range it is already protected from guest VLAN)
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 permit ip any any
and apply it to
int vlan 30
ip access-group 130 in
forbid all private IP addresses (if you ever add another VLAN in any private ip range it is already protected from guest VLAN)
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 permit ip any any
and apply it to
int vlan 30
ip access-group 130 in
ASKER
thanks for your help, but I don't think this a syntax issue.
I currently have the following configured:
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 135 in
access-list 135 deny ip any any log
and NO traffic is being blocked. I can still get to the Internet and to my other internal LAN's.
Any Idea what is going on?
thanks,
Al
I currently have the following configured:
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 135 in
access-list 135 deny ip any any log
and NO traffic is being blocked. I can still get to the Internet and to my other internal LAN's.
Any Idea what is going on?
thanks,
Al
This is a long shot, but since policy based routing on vlan interface won't work on Cisco 3850 switch without sdm prefer routing command, maybe it is same thing.
In global configuration mode
sdm prefer routing
wr mem
reload
In global configuration mode
sdm prefer routing
wr mem
reload
The only logical answer is the traffic is not passing through the switch as their gateway.
How is your network configured. Is the wireless controller connected to the switch?
Do a tracert 4.2.2.2 on the PC to determine where the traffic is traversing.
Also, access-group 135 in will not work. See my explanation above. Your intention is to block outgoing traffic and not incoming traffic into vlan 30
How is your network configured. Is the wireless controller connected to the switch?
Do a tracert 4.2.2.2 on the PC to determine where the traffic is traversing.
Also, access-group 135 in will not work. See my explanation above. Your intention is to block outgoing traffic and not incoming traffic into vlan 30
I tested solution in Cisco packet tracer with config that I gave including access-group 135 in, it worked.
I just did it again, just in case. Still works (although logic that it should be applied as out seems logical, but then filtering is not working). :)
So, looks like filtering should work, but it's not working.
Time for ideas what causes problem and why simple solution like this dont work.
I just did it again, just in case. Still works (although logic that it should be applied as out seems logical, but then filtering is not working). :)
So, looks like filtering should work, but it's not working.
Time for ideas what causes problem and why simple solution like this dont work.
ASKER
There is no other path to the Internet or other VLAN's except through the 3850, so the traffic has to be going through the 3850. There is only one Internet connection and the 3850 is the only box in the entire network capable of doing VLAN routing.
Any other ideas?
Any other ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not really so :)
Looks like logic is reverse here like it is not logic of entering into VLAN, then entering into router after coming from VLAN.
If ip access-group 130 in is configured, no traffic is blocked.
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 130 in
!
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 permit ip any any
!
Switch#sh access
Extended IP access list 130
10 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255 (8 match(es))
20 deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
30 deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
40 permit ip any any (5 match(es))
Looks like logic is reverse here like it is not logic of entering into VLAN, then entering into router after coming from VLAN.
If ip access-group 130 in is configured, no traffic is blocked.
ASKER
The wireless controller is not being used. We are using Aruba AP's and controller. The wireless controller has been left in its default configuration.
There is only one path to the Internet and it goes through the 3850, but I will have the trace route command run and I will get the results to you when I get them. (I am working this issue remotely and dependent on a local admin to conduct tests.)
Thanks again for all your help,
Al
There is only one path to the Internet and it goes through the 3850, but I will have the trace route command run and I will get the results to you when I get them. (I am working this issue remotely and dependent on a local admin to conduct tests.)
Thanks again for all your help,
Al
Did you tried sdm prefer routing???
I know it is probably problem to reload switch, but it is only good idea that I have at the moment.
I find out for that solution when PBR would not work on 3850.
I know it is probably problem to reload switch, but it is only good idea that I have at the moment.
I find out for that solution when PBR would not work on 3850.
ASKER
I The 3850 does not have a sdm prefer routing command. It only has sdm prefer advanced.
SW-SR-3850(config)#sdm ?
prefer no description
SW-SR-3850(config)#sdm prefer ?
advanced Advanced Template
SW-SR-3850(config)#sdm prefer advanced ?
<cr>
I can test this tonight if you think it will help.
Al
SW-SR-3850(config)#sdm ?
prefer no description
SW-SR-3850(config)#sdm prefer ?
advanced Advanced Template
SW-SR-3850(config)#sdm prefer advanced ?
<cr>
I can test this tonight if you think it will help.
Al
Have no idea if it will help, unfortunately. But it is the only that I have.
Your configuration should work without it.
Documentation for SDM templates
Looks to me like SDM templates cannot do harm if turned on.
But should be really look at documentation, there's a ton of it.
Your configuration should work without it.
Documentation for SDM templates
Looks to me like SDM templates cannot do harm if turned on.
But should be really look at documentation, there's a ton of it.
Let's try to do this with VLAN maps (should be supported, but since previous don't work, who knows).
# ip access-list extended Restrict
# permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
# permit ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
# permit ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
# exit
# ip access-list extended Allow
# permit ip any any
# exit
create VLAN access map NoVLAN
# vlan access-map NoVLAN 10
# match ip address Restrict
# action drop
# exit
# vlan access-map NoVLAN 20
# match ip address Allow
# action forward
# exit
apply VLAN access map NoVLAN to VLAN 30.
# vlan filter NoVLAN vlan 30
# ip access-list extended Restrict
# permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
# permit ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
# permit ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
# exit
# ip access-list extended Allow
# permit ip any any
# exit
create VLAN access map NoVLAN
# vlan access-map NoVLAN 10
# match ip address Restrict
# action drop
# exit
# vlan access-map NoVLAN 20
# match ip address Allow
# action forward
# exit
apply VLAN access map NoVLAN to VLAN 30.
# vlan filter NoVLAN vlan 30
ASKER
The issue is with out wireless AP/Controller. For some reason they are dumping all traffic into an un-related VLAN. The suggestion to run a trace route proved to be the correct troubleshooting step.
I will close this issue since it's not a Cisco router issue.
Thanks for all your help.
I will close this issue since it's not a Cisco router issue.
Thanks for all your help.
int vlan 30
ip access-group 130 out