VLAN Access List
VLAN ACL Is very useful when we want to filter traffic
within the VLAN. When we configure VACL on the switch, all the packets entering the
VLAN are checked against the VLAN access list. In VACL you cannot define the
direction like router ACL. A VACL can either drop a matching packet, forward
it, or redirect it to another interface. Notice that the VACL is applied
globally to one or more VLANs listed and not to a VLAN interface switch virtual
interface (SVI).
How to proceed
- 1. Configure ACL standard or extended as per your requirement for VACL.
- 2. Configure a VLAN access map for matching the IP hosts
- 3. Configure the action forward or drop
- 4. Apply the VACL map to the VLAN.
- 5. Verify the VACL map information.
- configure IP addresses on PCs as per the topology
- configure the default gateway as per the topology
- configure inter-VLAN- routing SVI
- configure IP address 10.1.1.1 on VLAN 10
- configure IP address 20.1.1.1 on VLAN 20
- at this point make sure all four PCs can ping each other
- configure ACL 10
- configure VACL make sure PC1 cannot communicate with any VLAN 20 PC
(Assigning the IPs on all 4 PCs)
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1
PC2 : 10.1.1.11 255.0.0.0 gateway 10.1.1.1
PC 3: 20.1.1.10 255.0.0.0 gateway 20.1.1.1
PC 4: 20.1.1.11 255.0.0.0 gateway 20.1.1.1
(Configure VLANs and assign interfaces to their VLANs)
switch-1-(config)#vlan 10
switch-1-(config-vlan)#name ccna
switch-1-(config-vlan)#exit
switch-1-(config)#vlan 20
switch-1-(config-vlan)#name ccnp
switch-1-(config-vlan)#exit
switch-1-(config)#interface range ethernet 0/0-1
switch-1-(config-if-range)#switchport mode access
switch-1-(config-if-range)#switchport access vlan 10
switch-1-(config-if-range)#exit
switch-1-(config)#interface range ethernet 0/2-3
switch-1-(config-if-range)#switchport mode access
switch-1-(config-if-range)#switchport access vlan 20
switch-1-(config-if-range)#exit
switch-1-(config)#end
switch-1-#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et1/0, Et1/1, Et1/2, Et1/3
Et2/0, Et2/1, Et2/2, Et2/3
Et3/0, Et3/1, Et3/2, Et3/3
10 ccna active Et0/0, Et0/1
20 ccnp active Et0/2, Et0/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
(Configure inter-VLAN-routing )
switch-1-(config)#ip routing
switch-1-(config)#interface vlan 10
switch-1-(config-if)#ip address 10.1.1.1 255.0.0.0
switch-1-(config-if)#no shutdown
switch-1-(config-if)#exit
*Jul 20 11:53:19.910: %LINK-3-UPDOWN: Interface Vlan10, changed state to up
*Jul 20 11:53:20.921: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
switch-1-(config-if)#ip address 20.1.1.1 255.0.0.0
switch-1-(config-if)#no shutdown
switch-1-(config-if)#exit
*Jul 20 11:53:41.087: %LINK-3-UPDOWN: Interface Vlan20, changed state to up
*Jul 20 11:53:42.102: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
(Let's verify the communication between PCs)
PC1> ping 10.1.1.11
84 bytes from 10.1.1.11 icmp_seq=1 ttl=64 time=3.813 ms
84 bytes from 10.1.1.11 icmp_seq=2 ttl=64 time=3.774 ms
84 bytes from 10.1.1.11 icmp_seq=3 ttl=64 time=3.575 ms
84 bytes from 10.1.1.11 icmp_seq=4 ttl=64 time=4.212 ms
84 bytes from 10.1.1.11 icmp_seq=5 ttl=64 time=3.709 ms
PC1> ping 20.1.1.10
84 bytes from 20.1.1.10 icmp_seq=1 ttl=63 time=4.243 ms
84 bytes from 20.1.1.10 icmp_seq=2 ttl=63 time=5.801 ms
84 bytes from 20.1.1.10 icmp_seq=3 ttl=63 time=3.944 ms
84 bytes from 20.1.1.10 icmp_seq=4 ttl=63 time=21.152 ms
84 bytes from 20.1.1.10 icmp_seq=5 ttl=63 time=3.551 ms
PC3> ping 20.1.1.11
84 bytes from 20.1.1.11 icmp_seq=1 ttl=64 time=4.206 ms
84 bytes from 20.1.1.11 icmp_seq=2 ttl=64 time=2.643 ms
84 bytes from 20.1.1.11 icmp_seq=3 ttl=64 time=3.907 ms
84 bytes from 20.1.1.11 icmp_seq=4 ttl=64 time=3.148 ms
84 bytes from 20.1.1.11 icmp_seq=5 ttl=64 time=3.453 ms
PC3>
PC3> ping 20.1.1.11
84 bytes from 20.1.1.11 icmp_seq=1 ttl=64 time=3.871 ms
84 bytes from 20.1.1.11 icmp_seq=2 ttl=64 time=2.950 ms
84 bytes from 20.1.1.11 icmp_seq=3 ttl=64 time=3.530 ms
84 bytes from 20.1.1.11 icmp_seq=4 ttl=64 time=4.095 ms
84 bytes from 20.1.1.11 icmp_seq=5 ttl=64 time=3.137 ms
PC3> ping 10.1.1.10
84 bytes from 10.1.1.10 icmp_seq=1 ttl=63 time=3.806 ms
84 bytes from 10.1.1.10 icmp_seq=2 ttl=63 time=3.037 ms
84 bytes from 10.1.1.10 icmp_seq=3 ttl=63 time=3.700 ms
84 bytes from 10.1.1.10 icmp_seq=4 ttl=63 time=2.816 ms
84 bytes from 10.1.1.10 icmp_seq=5 ttl=63 time=2.511 ms
PC4> ping 10.1.1.11
84 bytes from 10.1.1.11 icmp_seq=1 ttl=63 time=4.155 ms
84 bytes from 10.1.1.11 icmp_seq=2 ttl=63 time=3.964 ms
84 bytes from 10.1.1.11 icmp_seq=3 ttl=63 time=2.863 ms
84 bytes from 10.1.1.11 icmp_seq=4 ttl=63 time=3.105 ms
84 bytes from 10.1.1.11 icmp_seq=5 ttl=63 time=4.657 ms
(Configure VACL and make sure PC-1 traffic will drop)
switch-1-(config)#access-list 10 permit host 10.1.1.10
switch-1-(config)#vlan access-map VACL 10
switch-1-(config-access-map)#match ip address 10
switch-1-(config-access-map)#action drop
switch-1-(config-access-map)#exit
switch-1-(config)#vlan access-map VACL 20
switch-1-(config-access-map)#action f
switch-1-(config-access-map)#action forward
switch-1-(config-access-map)#exit
switch-1-(config)#vlan filter VACL vlan-list 10
switch-1-(config)#exit
switch-1-#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/8 is directly connected, Vlan10
L 10.1.1.1/32 is directly connected, Vlan10
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.0.0.0/8 is directly connected, Vlan20
L 20.1.1.1/32 is directly connected, Vlan20
switch-1-#show access-lists 10
Standard IP access list 10
10 permit 10.1.1.10 (15 matches)
switch-1-#show vlan filter
VLAN Map VACL is filtering VLANs:
10
switch-1-#show vlan access-map
Vlan access-map "VACL" 10
Match clauses:
ip address: 10
Action:
drop
Vlan access-map "VACL" 20
Match clauses:
Action:
forward
(Let's verify PC-1 can communicate within and outside VLAN)
PC1> ping 10.1.1.11
10.1.1.11 icmp_seq=1 timeout
10.1.1.11 icmp_seq=2 timeout
10.1.1.11 icmp_seq=3 timeout
10.1.1.11 icmp_seq=4 timeout
10.1.1.11 icmp_seq=5 timeout
PC1> ping 20.1.1.10
20.1.1.10 icmp_seq=1 timeout
20.1.1.10 icmp_seq=2 timeout
20.1.1.10 icmp_seq=3 timeout
20.1.1.10 icmp_seq=4 timeout
20.1.1.10 icmp_seq=5 timeout
PC2> ping 20.1.1.10
84 bytes from 20.1.1.10 icmp_seq=1 ttl=63 time=4.638 ms
84 bytes from 20.1.1.10 icmp_seq=2 ttl=63 time=3.912 ms
84 bytes from 20.1.1.10 icmp_seq=3 ttl=63 time=3.593 ms
84 bytes from 20.1.1.10 icmp_seq=4 ttl=63 time=4.297 ms
84 bytes from 20.1.1.10 icmp_seq=5 ttl=63 time=4.243 ms
THANK YOU SO MUCH FOR VISITING
No comments:
Post a Comment