VACL - Vlan Filter
One for the floor!
I have been looking at VLAN filter today but didnt get much time on it. The objective is to allow devices in a VLAN to be able to access only what they should access and drop the rest.
I wanted the devices in the VLAN to be able to telnet one another but that didnt come off. I played with a few ACL statements.
Assume devices are in subnet 10.1.1.x
If anyone has any insights it would most welcome. Will try and get at it tomorrow if time allows.
I have been looking at VLAN filter today but didnt get much time on it. The objective is to allow devices in a VLAN to be able to access only what they should access and drop the rest.
I wanted the devices in the VLAN to be able to telnet one another but that didnt come off. I played with a few ACL statements.
Assume devices are in subnet 10.1.1.x
If anyone has any insights it would most welcome. Will try and get at it tomorrow if time allows.
Comments
-
Ryan82
Member Posts: 428
-
ConstantlyLearning
Member Posts: 445
One for the floor!
I have been looking at VLAN filter today but didnt get much time on it. The objective is to allow devices in a VLAN to be able to access only what they should access and drop the rest.
I wanted the devices in the VLAN to be able to telnet one another but that didnt come off. I played with a few ACL statements.
Assume devices are in subnet 10.1.1.x
If anyone has any insights it would most welcome. Will try and get at it tomorrow if time allows.
Good article.
VLAN Access Control Lists (VACLs) Tier 1 - CCIE Blog
I did up a lab there and it worked fine. (To deny ICMP traffic from 10.1.1.0 to 10.1.1.0 and allow everything else)
2 hosts connected to a 3550 on vlan 1.
On the 3550 I created an access list: access-list 100 permit ICMP 10.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
I then created the access-map to drop anything matching the access-list and to allow (forward) anything else.
Then applied the access-map to vlan 1
Tested and it worked fine.
What did you try to do exactly Turgon?"There are 3 types of people in this world, those who can count and those who can't" -
Turgon
Banned Posts: 6,308 ■■■■■■■■■□
ConstantlyLearning wrote: »Good article.
VLAN Access Control Lists (VACLs) Tier 1 - CCIE Blog
I did up a lab there and it worked fine. (To deny ICMP traffic from 10.1.1.0 to 10.1.1.0 and allow everything else)
2 hosts connected to a 3550 on vlan 1.
On the 3550 I created an access list: access-list 100 permit ICMP 10.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
I then created the access-map to drop anything matching the access-list and to allow (forward) anything else.
Then applied the access-map to vlan 1
Tested and it worked fine.
What did you try to do exactly Turgon?
Yes I did something similar to this but it didnt quite come off. I just found this link myself tonight. I will have a bit more time on it today so will see if I can get the desired result. Cheers. -
Turgon
Banned Posts: 6,308 ■■■■■■■■■□
Well I *think* I got my desired objective achieved today although I ran out of time to do more testing to be totally sure. The VLAN concerned is secured in terms of what it can connect to and what can connect to it.
-
CiskHo
Member Posts: 188
GJ!The VLAN concerned is secured in terms of what it can connect to and what can connect to it.
^Sounds like a working VACL to me! My Lab Gear:
2811(+SW/POE/ABGwifi/DOCSIS) - 3560G-24-EI - 3550-12G - 3550POE - (2) 2950G-24 - 7206VXR - 2651XM - (2) 2611XM - 1760 - (2) CP-7940G - ESXi Server
Just Finished: RHCT (1/8/11) and CCNA:S (Fall 2010)
Prepping For: VCP and CCNP SWITCH, ROUTE, TSHOOT -
Turgon
Banned Posts: 6,308 ■■■■■■■■■□
GJ! ^Sounds like a working VACL to me!
It seems so..I had an IP SLA ping fail without the appropriate permit ACL entry in the forward part of the VACL -
Turgon
Banned Posts: 6,308 ■■■■■■■■■□
The VACL hosed an OSPF adjacency. No ACL amendments using ospf lit it up. In the end I went for ip ospf network non-broadcast for the link, neighbor statements and an nssa and all is well. Cool.
-
tim100
Member Posts: 162
Don't forget the one very important detail with VACLs which is that once you make a change to the VACL you have to re-apply it. -
ZblaJhaNi
Member Posts: 35 ■■□□□□□□□□
Hi,
I have the problems with VACL.
Basically i just want to deny an icmp packets between the two PCs within the VLAN.
Here is my configuration:
ip access-list extended VACL_test
permit icmp host 192.168.1.7 host 192.168.1.6 (i also try the ip instead of icmp)
vlan access-map SIKC 1
action drop
match ip address VACL_test
Vlan access-map SIKC 2
action forward
vlan filter SIKC vlan-list 30
Thanks for help...to the stars through difficulties... -
glennanewman
Registered Users Posts: 1 ■□□□□□□□□□
Check out port ACLs (PACLs) with MAC or IP based access lists. They work on 6500s, not sure about edge switches.
Catalyst 6500 Release 12.2SX Software Configuration Guide - Port ACLs (PACLs) and VLAN ACLs (VACLs) [Cisco Catalyst 6500 Series Switches] - Cisco Systems
