VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:
Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.
I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:
SW1(config)#access-list 100 permit ip any host 192.168.1.100
First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!
SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forward
Next step is to create the VACL. Mine is called “NOT-TO-SERVER”.
• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.
As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.
SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10
Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…
C:Documents and SettingsH1>ping 192.168.1.100
Pinging 192.168.4.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.4.4:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
H1 is no longer able to reach the server.
You can use VACLs to do some cool stuff, maybe you want to block IPv6 traffic for all hosts within a VLAN:
SW1(config)#mac access-list extended NO-IPV6
SW1(config-ext-macl)#permit any any 0x86DD 0x000
First I’ll create a MAC access-list that filters on ethertypes. 0x86DD is the ethertype for IPv6 traffic.
SW1(config)#vlan access-map BLOCK-IPV6 10
SW1(config-access-map)#match mac address NO-IPV6
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map BLOCK-IPV6 20
SW1(config-access-map)#action forward
• Sequence number 10 will match traffic that is defined in MAC access-list “NO-IPV6”. It will match on Ethernet frames with ethertype 0x86DD as defined in the MAC access-list. The action is to drop traffic.
• Sequence number 20 does not have a match statement so everything will match. The action is to forward traffic.
• Sequence number 20 does not have a match statement so everything will match. The action is to forward traffic.
As a result IPv6 traffic will be dropped and all other traffic will be forwarded.
SW1(config)#vlan filter BLOCK-IPV6 vlan-list 20
Don’t forget to enable it on an interface. I’ll activate it on VLAN 20 this time.
hostname SW1
!
mac access-list extended NO-IPV6
permit any any 0x86DD 0x0
!
vlan access-map NOT-TO-SERVER 10
action drop
match ip address 100
vlan access-map NOT-TO-SERVER 20
action forward
vlan access-map BLOCK-IPV6 10
action drop
match mac address NO-IPV6
vlan access-map BLOCK-IPV6 20
action forward
!
vlan filter NOT-TO-SERVER vlan-list 10
vlan filter BLOCK-IPV6 vlan-list 20
!
access-list 100 permit ip any host 192.168.1.100
!
endThat’s all there is to it, I hope this lesson has been helpful.
No comments:
Post a Comment