VACL - Vlan Filter

One for the floor!

I have been looking at VLAN filter today but didnt get much time on it. The objective is to allow devices in a VLAN to be able to access only what they should access and drop the rest.

I wanted the devices in the VLAN to be able to telnet one another but that didnt come off. I played with a few ACL statements.

Assume devices are in subnet 10.1.1.x

If anyone has any insights it would most welcome. Will try and get at it tomorrow if time allows.

Find more posts tagged with

Comments

Ryan82

This document looks pretty helpful:

Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(44)SE - Configuring Network Security with ACLs [Cisco Catalyst 3560 Series Switches] - Cisco Systems

jovan88

Thanks for the link

ConstantlyLearning

Turgon wrote: »

One for the floor!

I have been looking at VLAN filter today but didnt get much time on it. The objective is to allow devices in a VLAN to be able to access only what they should access and drop the rest.

I wanted the devices in the VLAN to be able to telnet one another but that didnt come off. I played with a few ACL statements.

Assume devices are in subnet 10.1.1.x

If anyone has any insights it would most welcome. Will try and get at it tomorrow if time allows.

Good article.
VLAN Access Control Lists (VACLs) Tier 1 - CCIE Blog

I did up a lab there and it worked fine. (To deny ICMP traffic from 10.1.1.0 to 10.1.1.0 and allow everything else)

2 hosts connected to a 3550 on vlan 1.

On the 3550 I created an access list: access-list 100 permit ICMP 10.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

I then created the access-map to drop anything matching the access-list and to allow (forward) anything else.

Then applied the access-map to vlan 1

Tested and it worked fine.

What did you try to do exactly Turgon?

Turgon

ConstantlyLearning wrote: »

Good article.
VLAN Access Control Lists (VACLs) Tier 1 - CCIE Blog

I did up a lab there and it worked fine. (To deny ICMP traffic from 10.1.1.0 to 10.1.1.0 and allow everything else)

2 hosts connected to a 3550 on vlan 1.

On the 3550 I created an access list: access-list 100 permit ICMP 10.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

I then created the access-map to drop anything matching the access-list and to allow (forward) anything else.

Then applied the access-map to vlan 1

Tested and it worked fine.

What did you try to do exactly Turgon?

Yes I did something similar to this but it didnt quite come off. I just found this link myself tonight. I will have a bit more time on it today so will see if I can get the desired result. Cheers.

Turgon

Well I *think* I got my desired objective achieved today although I ran out of time to do more testing to be totally sure. The VLAN concerned is secured in terms of what it can connect to and what can connect to it.

CiskHo

Turgon wrote: »

The VLAN concerned is secured in terms of what it can connect to and what can connect to it.

GJ!

^Sounds like a working VACL to me!

Turgon

CiskHo wrote: »

GJ! ^Sounds like a working VACL to me!

It seems so..I had an IP SLA ping fail without the appropriate permit ACL entry in the forward part of the VACL

Turgon

The VACL hosed an OSPF adjacency. No ACL amendments using ospf lit it up. In the end I went for ip ospf network non-broadcast for the link, neighbor statements and an nssa and all is well. Cool.

tim100

Don't forget the one very important detail with VACLs which is that once you make a change to the VACL you have to re-apply it.

ZblaJhaNi

Hi,

I have the problems with VACL.
Basically i just want to deny an icmp packets between the two PCs within the VLAN.

Here is my configuration:

ip access-list extended VACL_test
permit icmp host 192.168.1.7 host 192.168.1.6 (i also try the ip instead of icmp)

vlan access-map SIKC 1
action drop
match ip address VACL_test
Vlan access-map SIKC 2
action forward

vlan filter SIKC vlan-list 30

Thanks for help

ZblaJhaNi

Anyone?

glennanewman

Check out port ACLs (PACLs) with MAC or IP based access lists. They work on 6500s, not sure about edge switches.

Catalyst 6500 Release 12.2SX Software Configuration Guide - Port ACLs (PACLs) and VLAN ACLs (VACLs) [Cisco Catalyst 6500 Series Switches] - Cisco Systems