Cisco devices offer great features for traffic filtering. Classic access control list (ACL – Access Control List) is a core mechanism on Cisco network devices (routers, switches, etc.) used primarily for traffic filtering.
In this article, we will look at another type of ACL, called VLAN Access Control List (VACL – VLAN Access Control List) works slightly differently than classic ACLs.
When setting up any network, you need to have complete control over traffic entering and leaving your network. Most cases use filtering to allow or deny specifically routed traffic from one Layer3 subnet to another Layer3 subnet.
Typically this type of filtering is controlled by ACLs that filter routed traffic (i.e. traffic between different Layer3 networks).
What if we want to control traffic flow in the same VLAN (in the same Layer3 network)? This can be achieved using VACL (VLAN Access Control List) can block or allow traffic flows within the same VLAN.
VACL is supported on Cisco Layer3 switches. In this article, we will look at two simple filtering examples:
1. Traffic filtering on Layer3 switches uses classic ACLs to control traffic between layer3 networks.
2. Traffic filtering on Layer3 switches uses VLAN ACLs (VACLs) to control traffic within the same layer3 network (vlan).
I. Traffic filtering using classic ACLs on Cisco Layer switches 3
As you learned in CCNA, you can filter traffic using ACLs which can be:
- Standard ACL: Contains only the source IP address.
- Extended ACL: Contains both source/destination IP and ports.
Filtering can also be done using a prefix list (prefix-lists) and route map (route-maps).
In this first simple ACL filtering example, the request is to block telnet traffic from Host1 to Host2. To achieve this, we will use an extended ACL applied inbound on one of the Switch VLAN Interfaces (SVIs) (vlan 10) of the Layer3 Switch as shown below.
First, verify the connection between hosts before applying ACL:
H1#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
H1#telnet 172.16.0.1
Trying 172.16.0.1 … Open
User Access Verification
Username:
As shown above, we have a connection between two machines (hosts). We can use ACL filtering, which will specifically block the telnet session from Host1 to Host2 using the applied ACL sent on the SVI interface for VLAN10 of the switch (Switch Layer3).
NOTE:
An ACL applied in the inbound direction on the SVI interface (vlan 10 interface) blocks incoming traffic from hosts connected to VLAN10 ports toward the switch.
Configuration on Cisco L3 Switch blocks telnet from Host1 to Host2.
first. Configure ACL on the switch to block telnet
ip access-list extended Block_Telnet
deny tcp host 192.168.1.1 host 172.16.0.1 eq 23
permit ip any any span>
2. Apply the ACL to the SVI Interface of the switch
interface VLAN10 span>
description to Host1
ip address 192.168.1.2 255.255.255.0
ip access-group Block_Telnet in span>
interface VLAN20 span>
description to Host2
ip address 172.16.0.2 255.255.255.0
3. Check
H1#telnet 172.16.0.1
Trying 172.16.0.1 ….
% Connection timed out; remote host not responding
–> As you can see, telnet traffic has been blocked.
II. Filter traffic using VACL on Cisco Layer3 Switches
ACLs are using source/or destination IPs and ports to directly match the packets to be filtered.
VACL is different, VACL is used in switched networks where you want to filter traffic in VLAN. VACL is logically similar to route maps but instead of entering “route-map”, they contain the entries “access-map”.
Each entry”access-map” contains a statement that matches (using regular ACLs) and forwards or drops the corresponding actions.
You can have different match statements for every access map string (access-map) and they will be processed in the order entered.
Just like a normal route map, there is an implicit deny-all statement at the end, so be sure to create a final access-map entry that allows all other means of transport.
As shown on the diagram, we have two hosts (hosts) in the same VLAN 100 (and the same Layer3 subnet 192.168.1.0/24) connected on the same Layer3 Switch. We want to restrict telnet access from Host1 to Host2.
First, verify the connection between the two hosts (hosts) without applying VACL:
H1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
H1#telnet 192.168.1.2
Trying 192.168.1.2… Open
User Access Verification
Username:
Configure VACL on Switch Layer3 to block telnet from Host1 to Host2
1. Configure an ACL to match telnet traffic from Host1 to Host2.
SW-L3-TGM(config)#ip access-list extended Block_Telnet
SW-L3-TGM(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.1.2 eq 23
SW-L3-TGM(config-ext-nacl)#exit
2. Configure the VLAN Access Map a VACL
SW-L3-TGM(config)#vlan access-map VACL_ Block_Telnet 10 span>
SW-L3-TGM(config-access-map)#action drop span>
SW-L3-TGM(config-access-map)#match ip address Block_Telnet span>
SW-L3-TGM(config-access-map)#vlan access-map VACL_ Block_Telnet 20 span>
SW-L3-TGM(config-access-map)#action forward span>
SW-L3-TGM(config-access-map)#exit
Note:
– The ACL in Step1 contains an “allow” statement for telnet traffic between Host1 to Host2. This does NOT mean we allow telnet.
– The “allow” command is used to match telnet traffic from Host1 to Host2 and then drop that traffic inside the VACL access-map using the “action drop” command (see Step 2). .
3. Apply the VACL on the VLAN
SW1(config)#vlan filter VACL_ Block_Telnet vlan-list 100
Check
H1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
H1#telnet 192.168.1.2
Trying 192.168.1.2…
% Connection timed out; remote host not responding
–> Telnet on port 23 has been blocked
However, Telnet on another port works fine.
H1#192.168.1.2 80
Trying 192.168.1.2, 80 … Open
III. Conclusion VACL vs ACL
After configuring both VACL and ACL in this article, you should have figured out the difference between the two.
Brief summary as below:
– VACL is a Layer 2 concept. It can be applied on a VLAN to limit and control traffic flow on hosts within the same Layer 2 VLAN on the internal network (i.e. same subnet).
– ACL is a Layer 3 concept. Access control lists (ACLs) control Layer 3 traffic between different VLANs/subnets (Layer 3 networks). So it works on inter-VLAN traffic.
Hope this article is useful for you in your work. Good luck.
Xem tiếp...