This week, I have been studying and configuring VLAN ACL’s. VLAN ACL’s have a use because Regular ACL’s can be used to filter inter-VLAN traffic but not intra-VLAN traffic. Filtering between hosts on the same VLAN require the use of VLAN Access Lists (VACL).
The VACL will do the actual filtering of the traffic, but we still need to write an ACL to identify the traffic. The ACL will be used as a match criteria within the VACL to drop of forward the traffic.
I will show you how to implement a VACL on TPWSW1 that will prevent anyone from telnetting from UserPC1 subnet while allowing all other traffic.
The process I always follow for doing this is:
1. Build ACL
2. Build VACL
3. Apply VACL to VLAN
Build ACL
I always start a VACL with a regular extended ACL. Try and use descriptive names so when you look at it in 6 month it will mean something.
Create an extended access list named no_telnet_access_list and add an ACL statement that permits Telnet traffic:
TPWSW1(config)#ip access-list extended no_telnet_access_list TPWSW1(config-ext-nacl)#permit tcp any any eq telnet
Create an access list named allow_all_traffic and to add an ACL statement that permits all IP traffic:
TPWSW1(config)#ip access-list extended all_traffic TPWSW1(config-ext-nacl)#permit ip any any
Verify the no_telnet_access_list and the allow_all_traffic access lists you created.
TPWSW1#show access-lists Extended IP access list allow_all_traffic 10 permit ip any any Extended IP access list no_telnet_access_list 10 permit tcp any any eq telnet
Write the VACL
Create a VLAN access map named vlan_access_map with a sequence number of 10:
TPWSW1(config)#vlan access-map vlan_access_map 10
Configure TPWSW1. Create a match statement that will match an access list named no_telnet_access_list:
TPWSW1(config-access-map)#match ip address no_telnet_access_list
On TPWSW1, Configure an action for the VLAN access map that will drop the packets matched by the no_telnet_access_list access list:
TPWSW1(config-access-map)#action drop
Create a match statement that matches the allow_all_traffic access list and uses sequence number 20:
TPWSW1(config)#vlan access-map vlan_access_map 20 TPWSW1(config-access-map)#match ip address allow_all_traffic
Configure an action for the VLAN access map that will forward the traffic matched by the allow_all_traffic access list:
TPWSW1(config-access-map)#action forward
Verify the access map configuration.
TPWSW1#show vlan access-map Vlan access-map “vlan_map” 10 Match clauses: IP address: no_telnet_access_list Action: drop Vlan access-map “vlan_map” 20 Match clauses:IP address: all_traffic Action: forward
Apply VACL to VLAN
Apply the vlan_access_map access map to VLAN 5:
TPWSW1(config)#vlan filter vlan_access_map vlan-list 5
Verify the application of the access map to the VLAN.
TPWSW1#show vlan filter VLAN Map vlan_map is filtering VLANs: 5
Verify you cannot access the switch using Telnet. Now obviously you could turn off Telnet other ways, this was purely to demonstrate how powerful these VACL’s can be.