VLAN Access-List (VACL)


(Rene Molenaar) #10

Hi Hans,

What device/IOS are you using? It seems it doesn’t know the vlan access-map command. Instead it thinks you want to create a VLAN called ‘a’ (first letter it finds) which returns an error since VLANs can only have numbers.

Here’s the output of a switch:

Switch(config)#vlan ?
  WORD           ISL VLAN IDs 1-4094
  access-log     Configure VACL logging
  access-map     Create vlan access-map or enter vlan access-map command mode
  accounting     VLAN accounting configuration
  configuration  vlan feature configuration mode
  filter         Apply a VLAN Map
  group          Create a vlan group
  internal       internal VLAN

Above you can see it supports vlan access-maps.

Switch(config)#vlan access-map ?
  WORD  Vlan access map tag
Switch(config)#vlan access-map TEST
Switch(config-access-map)#

Rene


(Hans d) #11

Hi Rene,
I’m using 2950 SW version 12.1 and a IE200 with SW version 15.0, and no access-map command.
I just tried a IE3000 and that one has the access-map command.

Problem solved, it’s model related.

Thank you for your help.
Regards,
Hans de Roode.


(Jie C) #12

Private vlan can also achieve the same goal isn’t it. What could be different from the design point of view?


(Jie C) #13

seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene


(Rene Molenaar) #14

Hi Jie,

Private VLANs allow you to restrict traffic between VLANs or when you use the isolated VLAN, it prevents hosts within the VLAN from communicating with each other (similar to the protected port).

The VLAN access-list allows you to filter specific traffic within a VLAN.

Rene


(Jason W) #15

Rene, Do you have a lesson on Port ACLs (PACL)?


(Rene Molenaar) #16

Hi Jason,

Not yet but let me show you something here. a Port ACL is a standard, excended or MAC access-list that is applied to a L2 switchport. For example:

Switch(config)#ip access-list extended PERMIT_EVERYTHING
Switch(config-ext-nacl)#permit ip any any

Switch(config)#interface GigabitEthernet 0/1
Switch(config-if)#ip access-group PERMIT_EVERYTHING in

Or if you want to filter MAC addresses:

Switch(config)#mac access-list extended SOURCE_MAC
Switch(config-ext-macl)#permit host fa16.3e0d.b11f any

Switch(config)#interface GigabitEthernet 0/2
Switch(config-if)#mac access-group SOURCE_MAC in

Rene


(Jason W) #17

If we want to drop Computer A and B from accessing the server…. I get that we create a permit acl (100) and anything that matches it is dropped with the VACL 10…. But what is the point to VACL 20? With the way VACL 10 is written… not only will computer A and B be dropped… but computer C, computer D, computer E, etc etc will be dropped as well. Why do we have to have a forward all other traffic list? Theres nothing to forward because all source IPs wanting to reach the server will be dropped……why do you have to follow it up VACL 20?

Lets say there was also a computer C 192.168.1.3 and a computer D 192.168.1.4 etc etc…… And we want computer C and computer D etc to reach the server. We only want computer A and B to be denied (droped) as you have shown…

I think I understand the access list 100 is what matches us to the server… and the “action drop” will drop computer A and B from accessing the server…. But what about the access-list 100 or the match statement defines just computer A and B? How do you differentiate between Computer A &B… and the rest?


(Rene Molenaar) #18

Hi Jason,

Let’s look at the VACL:

SwitchA(config)#access-list 100 permit ip any host 192.168.1.100

SwitchA(config)#vlan access-map NOT-TO-SERVER 10
SwitchA(config-access-map)#match ip address 100
SwitchA(config-access-map)#action drop
SwitchA(config-access-map)#vlan access-map NOT-TO-SERVER 20
SwitchA(config-access-map)#action forward

Thanks to statement 10, all traffic with destination 192.168.1.100 will be dropped. This includes any device in the 192.168.1.0/24 subnet. So far so good.

If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20.

If you only want to prevent ComputerA + B from reaching the server then you could specify these IP addresses in the access-list. However, since IP addresses are easy to change it would probably be better to create more separation by adding another VLAN. Use one VLAN where hosts are allowed to reach the server, another one where it’s not allowed and use access-lists on the SVI interfaces instead.

Rene


(Jason W) #19

ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
“If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able to reach 192.168.1.2? I don’t see how all traffic is dropped when we are so specific with the creation of the ACL 192.168.1.100


(Rene Molenaar) #20

Hi Jason,

This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. That’s why I added it. Without any access-list in statement 20, all remaining traffic is permitted.

The same thing applies to normal access-lists. Everything you don’t permit is denied by the invisible “deny any” at the bottom of the access-list.

Rene


(AKHIL P) #21

Can you explain me wat is VLAN access Map


(Lazaros Agapides) #22

Hello Akhil

A VLAN Access Map is a data structure used in the application of VACLs. Specifically, it matches specific criteria and defines an action to take. An example is the following

Router(config)# vlan access-map thor 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)#

Once the VLAN access map is created it does nothing. It is not in effect until it has been applied to specific VLANs. This can be done with the following command for example:

Router(config)# vlan filter thor vlan-list 12-16

This command takes the VLAN access map and applies it to VLANs 12 to 16.

I hope this has been helpful!

Laz


(Trash89) #23

Hi, my topology is two routers with L2 switch in the middle.

I applied your method for blocking IPv6 on switch with hope, that IPv6 client wont get the IPv6 address from IPv6 server, because IPv6 should be blocked, but R3 got it anyway.

Why?


(Rene Molenaar) #24

Hmm you used the same config as mine? What switch and IOS version did you use?


(Brian C) #25

I removed my first question as I glossed over something that was stated that explained my questions.

it has to do with the why no Match on the 20 sequence. however I then saw this:

• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.
As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.

which is actually pretty interesting

**also second question.**

access-list makes devices work harder correct? meaning more CPU work? so having a lot can be a bad thing from design principle if not careful. meaning we want to stay away from them unless we have to have, and would that be same for VACL?

I read about that in a QoS post you had talking about classification and markings and how markings are better because classification which was ACL can make the devices work harder.

The reason that we use marking is that sometimes classification requires some complex access-lists / rules and can degrade performance on the router or switch that is doing classification. In the example above, the router receives marked packets so it doesn’t have to do complex classification using access-lists like the switch. It will still do classification but only has to look for marked packets.

Half way down page: https://networklessons.com/quality-of-service/introduction-qos-quality-service/


(Lazaros Agapides) #26

Hello Brian

It is true that both an access list as well as a VACL will use up more resources (CPU memory etc) of a device. And yes, this is why marking can be used instead of classification to avoid using ACLs in order to improve resource usage. However, this is an alternative for a very specific situation, specifically QoS. VACLs filter traffic within a VLAN, something that cannot be done in another way. However, keep in mind that you would require hundreds of VACLs and lots of traffic in order to reach the point of saturating the resources of a device.

I hope this has been helpful!

Laz


(Brian C) #27

As always your answer is very helpful on this and the other post you have made to help explain. You have been really active on the forums of late helping out and its very appreciated!


(Arindom N) #28

Hi Rene,
I am trying to find out about Vxlan in all level like ccna,ccnp or ccie but not able to find out in your any lesson so do you have any own written document for Vxlan? I see some topic in google bt it’s not good actually my one of team mate wants to know about this but can’t help him and I am also interested to know about this…

So do you have any documents on this?

Thanks & Regards,
Arindom
India


(Lazaros Agapides) #29

Hello Arindom

There are currently no VXLAN lessons in the Networklessons site, however, as you can see from the new lessons that are coming out below, Rene continually updates content and adds materials.

I suggest you go to the Member Ideas section and post a recommendation to add VXLAN as course content.

In the meantime, if @ReneMolenaar may have something more specific for you to take a look at.

I hope this has been helpful!

Laz