This topic is to discuss the following lesson:
Hi, just getting ready for CCNP Switch .
I was wondering how do you edit / update VACLs ?
Do you need to use text editor like standard ?
Reload switch ?
Examples of changing requirements say add new server 192.168.1.101
Hi Geoff,
You can edit the access-list, no problem at all. Iām not 100% sure if it will be active right away or if you need to remove + add the VACL again before it is applied. If you want to know, I can try it and let you know the results.
Rene
Hi Rene,
I was trying to use the VACL with mac access-list to prevent traffic from Computer A to Computer B. Both computer are connected directly to the Swtich A as follow,
Switch A
Computer A Computer B
IP- 192.168.1.1 IP-192.168.1.2
MAC - 0023.2343.5678 MAC- 0023.2343.5679
*******************************************************************
Configuration on Switch A,
mac access-list extended test
permit any host 0023.2343.5679
vlan access-map test1 10
match mac address test
action drop
vlan access-map test1 20
action forward
vlan filter test1 vlan-list 1 (knowing all switch ports are in default vlan 1)
*******************************************************************************
Testing
Once I tried to ping from computer A to B, the ping request timed out for 5 times and after 5 times, ping started to reply successfully for 8 times and blocked 5 times again. Keep rotating like that.
***********************************************************
Do you know what I am missing ? Please suggest me. Thank you in advance.
Best Regards,
Ronie
Ā
Ā
wow, similar to route-map. awesome!
Ā
i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using āport securityā. could you elaborate on how port-security will filter the traffic of computers going to server?
@Ronie I just did some testing and Iām also seeing strange results when using a mac access-list to filter MAC addresses. I used two routers and one 3560 switch. When I apply the vlan filter, the routers are still able to ping each other until I clear their ARP tables. Once I do that, they are unable to reach each other anymore since some of the ARP packets get filtered.
I would expect all traffic that matches one of the MAC addresses to be filtered but for whatever reason, itās acting weird.
@Frades you can use port security to set a limit to the number of MAC addresses or you can use it as a MAC address filter. The last option will do the job but itās not very secure, MAC addresses are easy to spoof.
Rene,
Great lesson however I have question. When we applied filter to certain VLAN in the example it is VLAN 10. It means all traffic from VLAN 10 will be blocked? Please clarify.
Ā
Thanks
Ā
Ā
Hamood
Ā
Ā
Hi Hamood,
It will be applied to all traffic in VLAN 10 yes, depending on what you configured on the access-list.
Rene
Hi Rene,
I have some weird results when I try to configure a vlan access-map:
DSW1(config)#vlan access-map ?
DSW1(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').
When I copy and past your commands, it returns a āInvalid character detectedā
Iāve tried this on a switch running SW version 12.1 and 15.0, both do the same.
Any ideas?
Regards,
Hans de Roode
Hi Hans,
What device/IOS are you using? It seems it doesnāt know the vlan access-map command. Instead it thinks you want to create a VLAN called āaā (first letter it finds) which returns an error since VLANs can only have numbers.
Hereās the output of a switch:
Switch(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-log Configure VACL logging
access-map Create vlan access-map or enter vlan access-map command mode
accounting VLAN accounting configuration
configuration vlan feature configuration mode
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN
Above you can see it supports vlan access-maps.
Switch(config)#vlan access-map ?
WORD Vlan access map tag
Switch(config)#vlan access-map TEST
Switch(config-access-map)#
Rene
Hi Rene,
Iām using 2950 SW version 12.1 and a IE200 with SW version 15.0, and no access-map command.
I just tried a IE3000 and that one has the access-map command.
Problem solved, itās model related.
Thank you for your help.
Regards,
Hans de Roode.
Private vlan can also achieve the same goal isnāt it. What could be different from the design point of view?
seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene
Hi Jie,
Private VLANs allow you to restrict traffic between VLANs or when you use the isolated VLAN, it prevents hosts within the VLAN from communicating with each other (similar to the protected port).
The VLAN access-list allows you to filter specific traffic within a VLAN.
Rene
Rene, Do you have a lesson on Port ACLs (PACL)?
Hi Jason,
Not yet but let me show you something here. a Port ACL is a standard, excended or MAC access-list that is applied to a L2 switchport. For example:
Switch(config)#ip access-list extended PERMIT_EVERYTHING
Switch(config-ext-nacl)#permit ip any any
Switch(config)#interface GigabitEthernet 0/1
Switch(config-if)#ip access-group PERMIT_EVERYTHING in
Or if you want to filter MAC addresses:
Switch(config)#mac access-list extended SOURCE_MAC
Switch(config-ext-macl)#permit host fa16.3e0d.b11f any
Switch(config)#interface GigabitEthernet 0/2
Switch(config-if)#mac access-group SOURCE_MAC in
Rene
If we want to drop Computer A and B from accessing the serverā¦. I get that we create a permit acl (100) and anything that matches it is dropped with the VACL 10ā¦. But what is the point to VACL 20? With the way VACL 10 is writtenā¦ not only will computer A and B be droppedā¦ but computer C, computer D, computer E, etc etc will be dropped as well. Why do we have to have a forward all other traffic list? Theres nothing to forward because all source IPs wanting to reach the server will be droppedā¦ā¦why do you have to follow it up VACL 20?
Lets say there was also a computer C 192.168.1.3 and a computer D 192.168.1.4 etc etcā¦ā¦ And we want computer C and computer D etc to reach the server. We only want computer A and B to be denied (droped) as you have shownā¦
I think I understand the access list 100 is what matches us to the serverā¦ and the āaction dropā will drop computer A and B from accessing the serverā¦. But what about the access-list 100 or the match statement defines just computer A and B? How do you differentiate between Computer A &Bā¦ and the rest?
Hi Jason,
Letās look at the VACL:
SwitchA(config)#access-list 100 permit ip any host 192.168.1.100
SwitchA(config)#vlan access-map NOT-TO-SERVER 10
SwitchA(config-access-map)#match ip address 100
SwitchA(config-access-map)#action drop
SwitchA(config-access-map)#vlan access-map NOT-TO-SERVER 20
SwitchA(config-access-map)#action forward
Thanks to statement 10, all traffic with destination 192.168.1.100 will be dropped. This includes any device in the 192.168.1.0/24 subnet. So far so good.
If you donāt add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. Thatās why we added statement 20.
If you only want to prevent ComputerA + B from reaching the server then you could specify these IP addresses in the access-list. However, since IP addresses are easy to change it would probably be better to create more separation by adding another VLAN. Use one VLAN where hosts are allowed to reach the server, another one where itās not allowed and use access-lists on the SVI interfaces instead.
Rene
ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
āIf you donāt add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. Thatās why we added statement 20ā
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) ā DROP IT. That being the caseā¦. Why would 192.168.1.1 to be able to reach 192.168.1.2? I donāt see how all traffic is dropped when we are so specific with the creation of the ACL 192.168.1.100
Hi Jason,
This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. Thatās why I added it. Without any access-list in statement 20, all remaining traffic is permitted.
The same thing applies to normal access-lists. Everything you donāt permit is denied by the invisible ādeny anyā at the bottom of the access-list.
Rene