Solved

cisco 3850 VLAN Access-Lists not working

Posted on 2014-10-25
17
1,488 Views
Last Modified: 2014-11-03
I have a Cisco 3850 layer 3 switch.  I am trying allow our guest VLAN (VLAN 30) access to the Internet only.  I configured an access list and applied it to my VLAN 30 interface and it does not work.

I am running software version  03.06.00E with an IP Services license.

I have have searched the internet and can't find what is not working.  This is a stand alone switch.  What am I doing wrong?

My config:

SW-SR-3850#sh run
Building configuration...

Current configuration : 5982 bytes
!
! Last configuration change at 13:23:24 UTC Sat Oct 25 2014 by avccnet
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname SW-SR-3850
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging console emergencies
enable secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
no aaa new-model
switch 1 provision ws-c3850-24t
!
!
!
!
!
ip routing
!
!
!
ip device tracking probe delay 10
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-2055912798
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2055912798
 revocation-check none
 rsakeypair TP-self-signed-2055912798
!
!
crypto pki certificate chain TP-self-signed-2055912798
 certificate self-signed 01
  <removed>
 
 
 
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
 mode sso
!
!
ip tftp blocksize 8192
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
!
!!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto
!
interface GigabitEthernet1/0/1
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 switchport mode trunk
!
interface GigabitEthernet1/0/4
 switchport mode trunk
!
interface GigabitEthernet1/0/5
 switchport mode trunk
!
interface GigabitEthernet1/0/6
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 switchport mode trunk
!
interface GigabitEthernet1/0/8
 switchport mode trunk
!
interface GigabitEthernet1/0/9
  switchport mode trunk
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
 switchport access vlan 190
!
interface GigabitEthernet1/0/24
 no switchport
 ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan15
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.190.71
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip access-group 130 in
!
interface Vlan190
 ip address 192.168.190.1 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
logging host 192.168.190.30
access-list 130 remark Guest VLAN
access-list 130 remark Deny Guest Access to other VLANs
access-list 130 deny   ip 192.168.30.0 0.0.0.255 192.168.190.0 0.0.0.255 log
access-list 130 deny   ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 log
access-list 130 remark Permit Guest Access to everywhere else
access-list 130 permit ip 192.168.30.0 0.0.0.255 any
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login local
 transport input ssh
!
wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
!
ap group default-group
end


Thanks for your help,
0
Comment
Question by:imalc3142
  • 7
  • 6
  • 4
17 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 40404327
You applied it inbound. The traffic is outbound. Inbound on vlan 30 is traffic going into vlan 30. Outbound from vlan 30 is traffic going out from vlan 30. Your ACL is configured to filter destination address originating from vlan 30, so your acl should be applied outbound

int vlan 30
ip access-group 130 out
0
 
LVL 1

Author Comment

by:imalc3142
ID: 40404333
Thanks for your answer, but that did not work.  I am still able to ping through to the internal VLAN's.

Any other suggestions?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40404350
replace the statement in your acl

you may be better off with the following
ip access-list extended 130
permit tcp any any eq 443
permit tcp any any eq 80

An implicit deny will capture anything else but you can still add the line below if you choose
deny ip any any

What is the gateway address for the guest wireless lan
is it 192.168.30.1?

http://orbit-computer-solutions.com/Access-Control-Lists--ACL-.php
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40404523
You should keep this simple
forbid all private IP addresses (if you ever add another VLAN in any private ip range it is already protected from guest VLAN)

access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 permit ip any any

and apply it to
int vlan 30
ip access-group 130 in
0
 
LVL 1

Author Comment

by:imalc3142
ID: 40406860
thanks for your help, but I don't think this a syntax issue.

I currently have the following configured:

interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip access-group 135 in

access-list 135 deny   ip any any log


and NO traffic is being blocked.  I can still get to the Internet and to my other internal LAN's.

Any Idea what is going on?

thanks,

Al
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40407079
This is a long shot, but since policy based routing on vlan interface won't  work on Cisco 3850 switch without sdm prefer routing command, maybe it is same thing.
In global configuration mode
sdm prefer routing
wr mem
reload
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40408460
The only logical answer is the traffic is not passing through the switch as their gateway.
How is your network configured. Is the wireless controller connected to the switch?
Do a tracert 4.2.2.2 on the PC to determine where the traffic is traversing.

Also, access-group 135 in will not work. See my explanation above. Your intention is to block outgoing traffic and not incoming traffic into vlan 30
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408525
I tested solution in Cisco packet tracer with config that I gave including access-group 135 in, it worked.
I just did it again, just in case. Still works (although logic that it should be applied as out seems logical, but then filtering is not working). :)

So, looks like filtering should work, but it's not working.
Time for ideas what causes problem and why simple solution like this dont work.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:imalc3142
ID: 40408756
There is no other path to the Internet or other VLAN's except through the 3850, so the traffic has to be going through the 3850.  There is only one Internet connection and the 3850 is the only box in the entire network capable of doing VLAN routing.

Any other ideas?
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
ID: 40408761
If everything is denied on the ACL, definitely, the traffic will be blocked.
The traffic going out from vlan 30 is not blocked but the return traffic coming back into the vlan will be blocked. This is a waste of router process. It is better to  block outgoing in this case.

One of the recommendations of ACL application is to apply restrictions as close to the source or destination as possible based on the traffic you intend to block


Notice my 1st comment in the last post
The only logical answer is the traffic is not passing through the switch as their gateway.

The logical reason why his ACL is not capturing the traffic after blocking everything is because the traffic is not passing through the ACL.

A "Show ip access-list 135" would reveal nothing is captured on the acl


@ imalc3142
Please run tracert 4.2.2.2 on a workstation and post the result

Also, you didn't answer the question about where your wireless controller connects to
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408777
Not really so :)

interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip access-group 130 in
!
access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 130 deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 permit ip any any
!
Switch#sh access
Extended IP access list 130
    10 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255 (8 match(es))
    20 deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
    30 deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
    40 permit ip any any (5 match(es))

Open in new window


Looks like logic is reverse here like it is not logic of entering into VLAN, then entering into router after coming from VLAN.
If  ip access-group 130 in is configured, no traffic is blocked.
0
 
LVL 1

Author Comment

by:imalc3142
ID: 40408789
The wireless controller is not being used.   We are using Aruba AP's and controller.  The wireless controller has been left in its default configuration.  

There is only one path to the Internet and it goes through the 3850, but I will have the trace route command run and I will get the results to you when I get them.  (I am working this issue remotely and dependent on a local admin to conduct tests.)

Thanks again for all your help,

Al
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408802
Did you tried sdm prefer routing???
I know it is probably problem to reload switch, but it is only good idea that I have at the moment.
I find out for that solution when PBR would not work on 3850.
0
 
LVL 1

Author Comment

by:imalc3142
ID: 40408817
I The 3850 does not have a sdm prefer routing command.  It only has sdm prefer advanced.  

SW-SR-3850(config)#sdm ?
  prefer  no description

SW-SR-3850(config)#sdm prefer ?
  advanced  Advanced Template

SW-SR-3850(config)#sdm prefer advanced ?
  <cr>

I can test this tonight if you think it will help.

Al
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408858
Have no idea if it will help, unfortunately. But it is the only that I have.
Your configuration should work without it.

Documentation for SDM templates

Looks to me like SDM templates cannot do harm if turned on.
But should be really look at documentation, there's a ton of it.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410166
Let's try to do this with VLAN maps (should be supported, but since previous  don't work, who knows).

# ip access-list extended Restrict
   # permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
   # permit ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
   # permit ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
# exit
# ip access-list extended Allow
   # permit ip any any
# exit

create VLAN access map NoVLAN

# vlan access-map NoVLAN 10
   # match ip address Restrict
   # action drop
# exit
# vlan access-map NoVLAN 20
   # match ip address Allow
   # action forward
# exit

apply VLAN access map NoVLAN to VLAN 30.
# vlan filter NoVLAN vlan 30
0
 
LVL 1

Author Closing Comment

by:imalc3142
ID: 40420167
The issue is with out wireless AP/Controller.  For some reason they are dumping all traffic into an un-related VLAN.  The suggestion to run a trace route proved to be the correct troubleshooting step.

I will close this issue since it's not a Cisco router issue.

Thanks for all your help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now