VLAN Access Lists Lab#01

| Wednesday, June 23rd, 2010 | 8 Comments »

You can learn all you want about ACL’s until you’re blue in the face, but what if the traffic never traverses an interface? How do you control traffic within a VLAN? That’s where VACL’s come in.

VLAN access-lists can handle packets within a VLAN since there are no actual IN/OUT direction to be applied as you would normally a RACL interface. (router access-list)

First we’ll start with what we know works. Two devices within the same VLAN, in this case, VLAN 10.

  • PC A – 192.168.10.5 /24 connected to port fa0/1
  • PC B – 192.168.10.10 /24 connected to port fa0/24
  • Switch – 2950

We make sure that both devices can ping each other.
*note: Both PC’s are actually routers. PC A is a 1720 while PC B is a 1811.

PC-A#ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

PC-B#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Now that we know there is full connectivity between the two hosts. We can begin to create a VACL to limit access to one of the hosts!

The configuration on the switch is pretty straightforward, not that many steps:

  1. Create the ACL for the device(s) in question.
  2. Create the access-map
  3. Apply the access-map to the VLAN.

Here’s the configuration on the Cisco 3550 switch.

Create the ACL
SW-3550-01(config)#ip access-list extended bt_subnet
SW-3550-01(config-ext-nacl)#permit ip host 192.168.10.5 host 192.168.10.10
SW-3550-01(config-ext-nacl)#exit

Create the access-map
SW-3550-01(config)#vlan access-map brandontek 1
SW-3550-01(config-access-map)#match ip address bt_subnet
SW-3550-01(config-access-map)#action drop
SW-3550-01(config-access-map)#exit
SW-3550-01(config)#vlan access-map brandontek 2
SW-3550-01(config-access-map)#action forward
SW-3550-01(config-access-map)#exit

Apply to VLAN
SW-3550-01(config)#vlan filter brandontek vlan-list 1

Before we go onto the behavior of this configuration, we’ll talk a little bit about the access-map and what the commands mean.

  • First you simply create the access-map name along with a sequence number. ex: vlan access-map map-name [sequence-number]
    The access-maps are evaluated in sequence order, just like regular ACL’s. 1,2,3,4,10,20,50 etc….
  • Second you are then brought into access-map config mode. Here you define the traffic to be filtered via an independently configured ACL.
    This is why I had created the ACL before the access-map, so that at this point, now you can apply it. In this case, the ACL is called: bt_subnet
  • Third, you know define the action to take on the traffic that MATCHES your ACL statement. When PC-A traffic is generated, it will match the bt_subnet
    ACL, and in this case, the action for this traffic is DROP. Choice actions you can take are:

    1. action
    2. drop
    3. forward
    4. redirect
  • Fourth, apply our newly created access-map to a VLAN ID.

So once we’ve applied the access-map, what happens now to our traffic from PC-A to PC-B?

PC-A#ping 192.168.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

PC-B#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

But wait? Why is is PC-B not able to communicate with PC-A? The access-list only applies to PC-A right? But the diagram shows PC-B able to communicate? I’m confused?
Ahhh!! Keep reading!

Do not be fooled!

Your question is indeed valid. PC-B in fact is ABLE to reach PC-A. What’s happening here is that the VACL is blocking PC-A access to PC-B. When PC-B attempts to communicate with PC-A, it is able to get through, but replies back to PC-B are BLOCKED!

Here we do a little verification and debugging.

DEBUG IP ICMP
PC-A#debug ip icmp
ICMP packet debugging is on

NOW WE PING PC-A FROM PC-B AGAIN.

PC-B#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

OUTPUT FROM DEBUG
PC-A#
01:38:51: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.10
PC-A#
01:38:53: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.10
PC-A#
01:38:55: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.10
PC-A#
01:38:57: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.10
PC-A#
01:38:59: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.10

As you can see, IP packets are able to get to PC-A, but the response is blocked going back to PC-B! This explains why in the second diagram, I continue to show that traffic is able to get to PC-A.

Conclusion

I’m not really sure how many production networks utilize VACL’s. There are some other choices as well such as Private VLAN’s. But PVLAN’s work a little differently. In any event, this is yet another security feature that you can take advantage of, if your switch supports VLAN access-lists!

Share
  • Pingback: VLAN access lists - TechExams.net IT Certification Forums()

  • Pingback: VLAN access lists - TechExams.net IT Certification Forums()

  • mst

    one thing to note.. if doing this on a 650x cat with ios.. it will bawk at not having a match for the seq 20 of the vlan access map.
    methlab-l3router(config)#vlan access-map vl2 20
    methlab-l3router(config-access-map)#action drop
    methlab-l3router(config-access-map)#exit
    %FM-VACL: Missing/Invalid match clause – Map vl2 sequence 20 is removed

    yet on a 3550 it works fine
    lab-mgmt-sw(config)#vlan access-map vlmap 20
    lab-mgmt-sw(config-access-map)#ac
    lab-mgmt-sw(config-access-map)#action drop
    lab-mgmt-sw(config-access-map)#exit
    lab-mgmt-sw(config)#exit

  • Pingback: JIMMIE()

  • Anonymous

    Hi Brandontek, would you like exchange link with my cisco tutorial link blog ? 

    http://cisco.tutbook.net

  • http://twitter.com/brandontek Brandon Kim

    I will take a look at your website. Thanks for checking in…

  • http://www.facebook.com/people/Elia-Spadoni/1664013802 Elia Spadoni

    Well, very nice!
    I have a big problem on a 3550!
    What if I have 3 vlans (vlan 2,3,4) each one with its own ip on the switch 172.16.2.254; 3.254, 4.254, what should I do if I would like to block with an ACL traffic coming from the hosts in the vlan and going out to another vlan? I have put access-group xx in on the vlan2 or vlan3 but it doesnt match!

  • http://twitter.com/brandontek Brandon Kim

     Hi Elia,

    Can you post your config?