VLAN Access-List (VACL)

ReneMolenaar · December 27, 2016, 4:46pm

This topic is to discuss the following lesson:

gfowens · December 4, 2014, 2:27am

Hi, just getting ready for CCNP Switch .

I was wondering how do you edit / update VACLs ?
Do you need to use text editor like standard ?
Reload switch ?

Examples of changing requirements say add new server 192.168.1.101

ReneMolenaar · December 5, 2014, 12:43pm

Hi Geoff,

You can edit the access-list, no problem at all. I’m not 100% sure if it will be active right away or if you need to remove + add the VACL again before it is applied. If you want to know, I can try it and let you know the results.

Rene

singhronie · October 13, 2015, 6:38am

Hi Rene,

I was trying to use the VACL with mac access-list to prevent traffic from Computer A to Computer B. Both computer are connected directly to the Swtich A as follow,

Switch A

Computer A Computer B

IP- 192.168.1.1 IP-192.168.1.2

MAC - 0023.2343.5678 MAC- 0023.2343.5679

*******************************************************************

Configuration on Switch A,

mac access-list extended test

permit any host 0023.2343.5679

vlan access-map test1 10

match mac address test

action drop

vlan access-map test1 20

action forward

vlan filter test1 vlan-list 1 (knowing all switch ports are in default vlan 1)

*******************************************************************************

Testing

Once I tried to ping from computer A to B, the ping request timed out for 5 times and after 5 times, ping started to reply successfully for 8 times and blocked 5 times again. Keep rotating like that.

***********************************************************

Do you know what I am missing ? Please suggest me. Thank you in advance.

Best Regards,

Ronie

johnfrades · October 14, 2015, 4:06pm

wow, similar to route-map. awesome!

i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using “port security”. could you elaborate on how port-security will filter the traffic of computers going to server?

ReneMolenaar · October 23, 2015, 3:53pm

@Ronie I just did some testing and I’m also seeing strange results when using a mac access-list to filter MAC addresses. I used two routers and one 3560 switch. When I apply the vlan filter, the routers are still able to ping each other until I clear their ARP tables. Once I do that, they are unable to reach each other anymore since some of the ARP packets get filtered.

I would expect all traffic that matches one of the MAC addresses to be filtered but for whatever reason, it’s acting weird.
@Frades you can use port security to set a limit to the number of MAC addresses or you can use it as a MAC address filter. The last option will do the job but it’s not very secure, MAC addresses are easy to spoof.

hamoodrehman87 · December 7, 2015, 10:54pm

Rene,

Great lesson however I have question. When we applied filter to certain VLAN in the example it is VLAN 10. It means all traffic from VLAN 10 will be blocked? Please clarify.

Thanks

Hamood

ReneMolenaar · December 9, 2015, 9:50pm

Hi Hamood,

It will be applied to all traffic in VLAN 10 yes, depending on what you configured on the access-list.

Rene

hansderoode · January 19, 2016, 3:41pm

Hi Rene,

I have some weird results when I try to configure a vlan access-map:

DSW1(config)#vlan access-map ?

DSW1(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character (&#039;a&#039;).

When I copy and past your commands, it returns a “Invalid character detected”
I’ve tried this on a switch running SW version 12.1 and 15.0, both do the same.

Any ideas?

Regards,

Hans de Roode

ReneMolenaar · January 19, 2016, 4:59pm

Hi Hans,

What device/IOS are you using? It seems it doesn’t know the vlan access-map command. Instead it thinks you want to create a VLAN called ‘a’ (first letter it finds) which returns an error since VLANs can only have numbers.

Here’s the output of a switch:

Switch(config)#vlan ?
  WORD           ISL VLAN IDs 1-4094
  access-log     Configure VACL logging
  access-map     Create vlan access-map or enter vlan access-map command mode
  accounting     VLAN accounting configuration
  configuration  vlan feature configuration mode
  filter         Apply a VLAN Map
  group          Create a vlan group
  internal       internal VLAN

Above you can see it supports vlan access-maps.

Switch(config)#vlan access-map ?
  WORD  Vlan access map tag

Switch(config)#vlan access-map TEST
Switch(config-access-map)#

Rene

hansderoode · January 20, 2016, 2:37am

Hi Rene,
I’m using 2950 SW version 12.1 and a IE200 with SW version 15.0, and no access-map command.
I just tried a IE3000 and that one has the access-map command.

Problem solved, it’s model related.

Thank you for your help.
Regards,
Hans de Roode.

riconorway · March 5, 2016, 12:00pm

Private vlan can also achieve the same goal isn’t it. What could be different from the design point of view?

riconorway · March 5, 2016, 12:04pm

seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene

ReneMolenaar · March 6, 2016, 12:43pm

Hi Jie,

Private VLANs allow you to restrict traffic between VLANs or when you use the isolated VLAN, it prevents hosts within the VLAN from communicating with each other (similar to the protected port).

The VLAN access-list allows you to filter specific traffic within a VLAN.

Rene

jmwalker24 · March 29, 2016, 5:09pm

Rene, Do you have a lesson on Port ACLs (PACL)?

ReneMolenaar · March 30, 2016, 7:38pm

Hi Jason,

Not yet but let me show you something here. a Port ACL is a standard, excended or MAC access-list that is applied to a L2 switchport. For example:

Switch(config)#ip access-list extended PERMIT_EVERYTHING
Switch(config-ext-nacl)#permit ip any any

Switch(config)#interface GigabitEthernet 0/1
Switch(config-if)#ip access-group PERMIT_EVERYTHING in

Or if you want to filter MAC addresses:

Switch(config)#mac access-list extended SOURCE_MAC
Switch(config-ext-macl)#permit host fa16.3e0d.b11f any

Switch(config)#interface GigabitEthernet 0/2
Switch(config-if)#mac access-group SOURCE_MAC in

Rene

jmwalker24 · April 14, 2016, 8:38pm

If we want to drop Computer A and B from accessing the server…. I get that we create a permit acl (100) and anything that matches it is dropped with the VACL 10…. But what is the point to VACL 20? With the way VACL 10 is written… not only will computer A and B be dropped… but computer C, computer D, computer E, etc etc will be dropped as well. Why do we have to have a forward all other traffic list? Theres nothing to forward because all source IPs wanting to reach the server will be dropped……why do you have to follow it up VACL 20?

Lets say there was also a computer C 192.168.1.3 and a computer D 192.168.1.4 etc etc…… And we want computer C and computer D etc to reach the server. We only want computer A and B to be denied (droped) as you have shown…

I think I understand the access list 100 is what matches us to the server… and the “action drop” will drop computer A and B from accessing the server…. But what about the access-list 100 or the match statement defines just computer A and B? How do you differentiate between Computer A &B… and the rest?

ReneMolenaar · April 17, 2016, 3:44pm

Hi Jason,

Let’s look at the VACL:

SwitchA(config)#access-list 100 permit ip any host 192.168.1.100

SwitchA(config)#vlan access-map NOT-TO-SERVER 10
SwitchA(config-access-map)#match ip address 100
SwitchA(config-access-map)#action drop
SwitchA(config-access-map)#vlan access-map NOT-TO-SERVER 20
SwitchA(config-access-map)#action forward

Thanks to statement 10, all traffic with destination 192.168.1.100 will be dropped. This includes any device in the 192.168.1.0/24 subnet. So far so good.

If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20.

If you only want to prevent ComputerA + B from reaching the server then you could specify these IP addresses in the access-list. However, since IP addresses are easy to change it would probably be better to create more separation by adding another VLAN. Use one VLAN where hosts are allowed to reach the server, another one where it’s not allowed and use access-lists on the SVI interfaces instead.

Rene

jmwalker24 · April 17, 2016, 5:03pm

ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
“If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able to reach 192.168.1.2? I don’t see how all traffic is dropped when we are so specific with the creation of the ACL 192.168.1.100

ReneMolenaar · April 17, 2016, 10:25pm

Hi Jason,

This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. That’s why I added it. Without any access-list in statement 20, all remaining traffic is permitted.

The same thing applies to normal access-lists. Everything you don’t permit is denied by the invisible “deny any” at the bottom of the access-list.

Rene