• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

Filter traffic on Cisco Layer 3 switches using ACLs and VACLs

TigerDao

Administrator
Thành viên BQT
Cisco devices offer great features for traffic filtering. Classic access control list (ACL – Access Control List) is a core mechanism on Cisco network devices (routers, switches, etc.) used primarily for traffic filtering.

In this article, we will look at another type of ACL, called VLAN Access Control List (VACL – VLAN Access Control List) works slightly differently than classic ACLs.

When setting up any network, you need to have complete control over traffic entering and leaving your network. Most cases use filtering to allow or deny specifically routed traffic from one Layer3 subnet to another Layer3 subnet.

Typically this type of filtering is controlled by ACLs that filter routed traffic (i.e. traffic between different Layer3 networks).

What if we want to control traffic flow in the same VLAN (in the same Layer3 network)? This can be achieved using VACL (VLAN Access Control List) can block or allow traffic flows within the same VLAN.

VACL is supported on Cisco Layer3 switches. In this article, we will look at two simple filtering examples:

1. Traffic filtering on Layer3 switches uses classic ACLs to control traffic between layer3 networks.

2. Traffic filtering on Layer3 switches uses VLAN ACLs (VACLs) to control traffic within the same layer3 network (vlan).

I. Traffic filtering using classic ACLs on Cisco Layer switches 3

As you learned in CCNA, you can filter traffic using ACLs which can be:

  • Standard ACL: Contains only the source IP address.
  • Extended ACL: Contains both source/destination IP and ports.

Filtering can also be done using a prefix list (prefix-lists) and route map (route-maps).

In this first simple ACL filtering example, the request is to block telnet traffic from Host1 to Host2. To achieve this, we will use an extended ACL applied inbound on one of the Switch VLAN Interfaces (SVIs) (vlan 10) of the Layer3 Switch as shown below.

(IMG)


First, verify the connection between hosts before applying ACL:

H1#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


H1#telnet 172.16.0.1
Trying 172.16.0.1 … Open
User Access Verification
Username:


As shown above, we have a connection between two machines (hosts). We can use ACL filtering, which will specifically block the telnet session from Host1 to Host2 using the applied ACL sent on the SVI interface for VLAN10 of the switch (Switch Layer3).

NOTE:

An ACL applied in the inbound direction on the SVI interface (vlan 10 interface) blocks incoming traffic from hosts connected to VLAN10 ports toward the switch.

Configuration on Cisco L3 Switch blocks telnet from Host1 to Host2.

first. Configure ACL on the switch to block telnet

ip access-list extended Block_Telnet
deny tcp host 192.168.1.1 host 172.16.0.1 eq 23

permit ip any any span>

2. Apply the ACL to the SVI Interface of the switch

interface VLAN10 span>
description to Host1
ip address 192.168.1.2 255.255.255.0

ip access-group Block_Telnet in span>

interface VLAN20 span>
description to Host2
ip address 172.16.0.2 255.255.255.0


3. Check

H1#telnet 172.16.0.1
Trying 172.16.0.1 ….
% Connection timed out; remote host not responding


–> As you can see, telnet traffic has been blocked.


II. Filter traffic using VACL on Cisco Layer3 Switches

ACLs are using source/or destination IPs and ports to directly match the packets to be filtered.

VACL is different, VACL is used in switched networks where you want to filter traffic in VLAN. VACL is logically similar to route maps but instead of entering “route-map”, they contain the entries “access-map”.

Each entry”access-map” contains a statement that matches (using regular ACLs) and forwards or drops the corresponding actions.

You can have different match statements for every access map string (access-map) and they will be processed in the order entered.

Just like a normal route map, there is an implicit deny-all statement at the end, so be sure to create a final access-map entry that allows all other means of transport.

(IMG)


As shown on the diagram, we have two hosts (hosts) in the same VLAN 100 (and the same Layer3 subnet 192.168.1.0/24) connected on the same Layer3 Switch. We want to restrict telnet access from Host1 to Host2.

First, verify the connection between the two hosts (hosts) without applying VACL:

H1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


H1#telnet 192.168.1.2
Trying 192.168.1.2… Open
User Access Verification
Username:


Configure VACL on Switch Layer3 to block telnet from Host1 to Host2

1. Configure an ACL to match telnet traffic from Host1 to Host2.

SW-L3-TGM(config)#ip access-list extended Block_Telnet
SW-L3-TGM(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.1.2 eq 23
SW-L3-TGM(config-ext-nacl)#exit


2. Configure the VLAN Access Map a VACL
SW-L3-TGM(config)#vlan access-map VACL_ Block_Telnet 10 span>
SW-L3-TGM(config-access-map)#action drop span>
SW-L3-TGM(config-access-map)#match ip address Block_Telnet span>


SW-L3-TGM(config-access-map)#vlan access-map VACL_ Block_Telnet 20 span>
SW-L3-TGM(config-access-map)#action forward span>

SW-L3-TGM(config-access-map)#exit

Note:

– The ACL in Step1 contains an “allow” statement for telnet traffic between Host1 to Host2. This does NOT mean we allow telnet.
– The “allow” command is used to match telnet traffic from Host1 to Host2 and then drop that traffic inside the VACL access-map using the “action drop” command (see Step 2). .

3. Apply the VACL on the VLAN
SW1(config)#vlan filter VACL_ Block_Telnet vlan-list 100

Check

H1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


H1#telnet 192.168.1.2
Trying 192.168.1.2…
% Connection timed out; remote host not responding


–> Telnet on port 23 has been blocked

However, Telnet on another port works fine.

H1#192.168.1.2 80
Trying 192.168.1.2, 80 … Open

III. Conclusion VACL vs ACL

After configuring both VACL and ACL in this article, you should have figured out the difference between the two.

Brief summary as below:

– VACL is a Layer 2 concept. It can be applied on a VLAN to limit and control traffic flow on hosts within the same Layer 2 VLAN on the internal network (i.e. same subnet).

– ACL is a Layer 3 concept. Access control lists (ACLs) control Layer 3 traffic between different VLANs/subnets (Layer 3 networks). So it works on inter-VLAN traffic.

Hope this article is useful for you in your work. Good luck.


Xem tiếp...
 

Similar threads

T
Trả lời
0
Lượt xem
346
Thời trang, Mỹ phẩm
T
Ô
Trả lời
0
Lượt xem
311
Ô tô Rao Vặt Toàn Quốc
Ô
M
Trả lời
0
Lượt xem
283
Máy tính và Laptop
M
M
Trả lời
0
Lượt xem
266
Máy tính và Laptop
M
M
Trả lời
0
Lượt xem
234
Máy tính và Laptop
M
Ô
Trả lời
0
Lượt xem
274
Ô tô Rao Vặt Toàn Quốc
Ô
M
Trả lời
0
Lượt xem
247
Máy tính và Laptop
M
M
Trả lời
0
Lượt xem
241
Máy tính và Laptop
M
M
Trả lời
0
Lượt xem
254
Máy tính và Laptop
M
Top