VLAN Access-List (VACL)


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(geoff o) #2

Hi, just getting ready for CCNP Switch .

I was wondering how do you edit / update VACLs ?
Do you need to use text editor like standard ?
Reload switch ?

Examples of changing requirements say add new server 192.168.1.101


(Rene Molenaar) #3

Hi Geoff,

You can edit the access-list, no problem at all. I’m not 100% sure if it will be active right away or if you need to remove + add the VACL again before it is applied. If you want to know, I can try it and let you know the results.

Rene


(Ronie S) #4

Hi Rene,

I was trying to use the VACL with mac access-list to prevent traffic from Computer A to Computer B. Both computer are connected directly to the Swtich A as follow,

Switch A

Computer A Computer B

IP- 192.168.1.1 IP-192.168.1.2

MAC - 0023.2343.5678 MAC- 0023.2343.5679

*******************************************************************

Configuration on Switch A,

mac access-list extended test

permit any host 0023.2343.5679

vlan access-map test1 10

match mac address test

action drop

vlan access-map test1 20

action forward

vlan filter test1 vlan-list 1 (knowing all switch ports are in default vlan 1)

*******************************************************************************

Testing

Once I tried to ping from computer A to B, the ping request timed out for 5 times and after 5 times, ping started to reply successfully for 8 times and blocked 5 times again. Keep rotating like that.

***********************************************************

Do you know what I am missing ? Please suggest me. Thank you in advance.

Best Regards,

Ronie

 

 


(Frades) #5

wow, similar to route-map. awesome!

 

i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using “port security”. could you elaborate on how port-security will filter the traffic of computers going to server?


(Rene Molenaar) #6

@Ronie I just did some testing and I’m also seeing strange results when using a mac access-list to filter MAC addresses. I used two routers and one 3560 switch. When I apply the vlan filter, the routers are still able to ping each other until I clear their ARP tables. Once I do that, they are unable to reach each other anymore since some of the ARP packets get filtered.

I would expect all traffic that matches one of the MAC addresses to be filtered but for whatever reason, it’s acting weird.
@Frades you can use port security to set a limit to the number of MAC addresses or you can use it as a MAC address filter. The last option will do the job but it’s not very secure, MAC addresses are easy to spoof.


(Hamood R) #7

Rene,

Great lesson however I have question. When we applied filter to certain VLAN in the example it is VLAN 10. It means all traffic from VLAN 10 will be blocked? Please clarify.

 

Thanks

 

 

Hamood

 

 


(Rene Molenaar) #8

Hi Hamood,

It will be applied to all traffic in VLAN 10 yes, depending on what you configured on the access-list.

Rene


(Hans d) #9

Hi Rene,

I have some weird results when I try to configure a vlan access-map:

DSW1(config)#vlan access-map ?

DSW1(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').

When I copy and past your commands, it returns a “Invalid character detected”
I’ve tried this on a switch running SW version 12.1 and 15.0, both do the same.

Any ideas?

Regards,

Hans de Roode


(Rene Molenaar) #10

Hi Hans,

What device/IOS are you using? It seems it doesn’t know the vlan access-map command. Instead it thinks you want to create a VLAN called ‘a’ (first letter it finds) which returns an error since VLANs can only have numbers.

Here’s the output of a switch:

Switch(config)#vlan ?
  WORD           ISL VLAN IDs 1-4094
  access-log     Configure VACL logging
  access-map     Create vlan access-map or enter vlan access-map command mode
  accounting     VLAN accounting configuration
  configuration  vlan feature configuration mode
  filter         Apply a VLAN Map
  group          Create a vlan group
  internal       internal VLAN

Above you can see it supports vlan access-maps.

Switch(config)#vlan access-map ?
  WORD  Vlan access map tag
Switch(config)#vlan access-map TEST
Switch(config-access-map)#

Rene


(Hans d) #11

Hi Rene,
I’m using 2950 SW version 12.1 and a IE200 with SW version 15.0, and no access-map command.
I just tried a IE3000 and that one has the access-map command.

Problem solved, it’s model related.

Thank you for your help.
Regards,
Hans de Roode.


(Jie C) #12

Private vlan can also achieve the same goal isn’t it. What could be different from the design point of view?


(Jie C) #13

seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene


(Rene Molenaar) #14

Hi Jie,

Private VLANs allow you to restrict traffic between VLANs or when you use the isolated VLAN, it prevents hosts within the VLAN from communicating with each other (similar to the protected port).

The VLAN access-list allows you to filter specific traffic within a VLAN.

Rene


(Jason W) #15

Rene, Do you have a lesson on Port ACLs (PACL)?


(Rene Molenaar) #16

Hi Jason,

Not yet but let me show you something here. a Port ACL is a standard, excended or MAC access-list that is applied to a L2 switchport. For example:

Switch(config)#ip access-list extended PERMIT_EVERYTHING
Switch(config-ext-nacl)#permit ip any any

Switch(config)#interface GigabitEthernet 0/1
Switch(config-if)#ip access-group PERMIT_EVERYTHING in

Or if you want to filter MAC addresses:

Switch(config)#mac access-list extended SOURCE_MAC
Switch(config-ext-macl)#permit host fa16.3e0d.b11f any

Switch(config)#interface GigabitEthernet 0/2
Switch(config-if)#mac access-group SOURCE_MAC in

Rene


(Jason W) #17

If we want to drop Computer A and B from accessing the server…. I get that we create a permit acl (100) and anything that matches it is dropped with the VACL 10…. But what is the point to VACL 20? With the way VACL 10 is written… not only will computer A and B be dropped… but computer C, computer D, computer E, etc etc will be dropped as well. Why do we have to have a forward all other traffic list? Theres nothing to forward because all source IPs wanting to reach the server will be dropped……why do you have to follow it up VACL 20?

Lets say there was also a computer C 192.168.1.3 and a computer D 192.168.1.4 etc etc…… And we want computer C and computer D etc to reach the server. We only want computer A and B to be denied (droped) as you have shown…

I think I understand the access list 100 is what matches us to the server… and the “action drop” will drop computer A and B from accessing the server…. But what about the access-list 100 or the match statement defines just computer A and B? How do you differentiate between Computer A &B… and the rest?


(Rene Molenaar) #18

Hi Jason,

Let’s look at the VACL:

SwitchA(config)#access-list 100 permit ip any host 192.168.1.100

SwitchA(config)#vlan access-map NOT-TO-SERVER 10
SwitchA(config-access-map)#match ip address 100
SwitchA(config-access-map)#action drop
SwitchA(config-access-map)#vlan access-map NOT-TO-SERVER 20
SwitchA(config-access-map)#action forward

Thanks to statement 10, all traffic with destination 192.168.1.100 will be dropped. This includes any device in the 192.168.1.0/24 subnet. So far so good.

If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20.

If you only want to prevent ComputerA + B from reaching the server then you could specify these IP addresses in the access-list. However, since IP addresses are easy to change it would probably be better to create more separation by adding another VLAN. Use one VLAN where hosts are allowed to reach the server, another one where it’s not allowed and use access-lists on the SVI interfaces instead.

Rene


(Jason W) #19

ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
“If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able to reach 192.168.1.2? I don’t see how all traffic is dropped when we are so specific with the creation of the ACL 192.168.1.100


(Rene Molenaar) #20

Hi Jason,

This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. That’s why I added it. Without any access-list in statement 20, all remaining traffic is permitted.

The same thing applies to normal access-lists. Everything you don’t permit is denied by the invisible “deny any” at the bottom of the access-list.

Rene