Access list interface vlan
Network security is as important now than ever with data getting bigger and more precious. As network security helps businesses reduce the risk of data theft and disturbance in production network operations, it is key to understand your security environment. An access control list (ACL) provides the network security in your routing and switching environments through a rule or series of rules that can permit or deny data traffic from the network layer. Today, we will look at ACL concepts as well as troubleshooting common cases that you may see. A quick note before we dive in. Where there are no specific prerequisites for applying ACL in the network, it should be done with professional network/security engineers. This feature is in Cisco IOS software releases 8.3 or later, and uses packet filtering. Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets while allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols, and ports. We can set the configuration (as you'll see below) to IP filter traffic in Cisco layer 3 switches, such as the Nexus switches, between two different SIV's/VLANs. Let's dive in! Why ACL in NetworksThe ACLs work by blocking specified traffic to enhance the performance of the network. A strong security is provided though blocking packets that are destined to sensitive areas in the network. Determination of the type of traffic to forward based on the protocols takes places to then deny certain users access to the internet while allowing others. Please note that we are not focusing on access list types today, but if you would like to access more information, click here to get in touch! The example we will use today uses a PivIT environment with Nexus switches. We will show you a couple of rules to you can use, but you can add or remove rules from the default network ACL. When rules are added or removed they are automatically applied to the subnets that the ACL is associated with. Parts of a network ACL rule include:
Access control lists are a principal element in securing your network, and understanding their function is essential to achieving their best effectiveness. Below are a few rules and configurations to help gain the knowledge and understanding around ACLs and basic rules to apply. Step-by-Step ConfigurationsWe have created one VLAN (154) in both Nexus switches. In the diagram below, you can also check the recommended way to configure SVI in the Cisco 9500 series switches to get the maximum output. Note: The configurations below can only be done on Cisco Nexus Layer 3 switches. Step 1. Create VLAN in both Nexus Core SwitchesCore 1 Configurations: Core 2 Configurations: Step 2. Create SVI on both Nexus Core SwitchesA Switched Virtual Interface (SVI) is a routed interface in IOS representing the IP addressing space for a particular VLAN connected to this interface. There is no physical interface for the VLAN, and the SVI provides the Layer 3 processing for packets from all switch ports associated with the VLAN. With SVIs the switch will use a virtual Layer 3 interface to route traffic to another Layer 3 interface thus eliminating the need for a physical router. VLANs reduce the load on a network by dividing a LAN into smaller segments and keeping local traffic within a VLAN. However, because each VLAN has its own domain, a mechanism is needed for VLANs to pass data to other VLANs without passing the data through a router. We'll now show those configurations to create the SVI. Core 1 Configurations: Core 2 Configurations: Step 3. Create Access List to Block All Traffic from VLAN 154Before configuring the ACL rule, verify the inter VLAN communication between the two VLANs. Below is what the verification should look like. Now we'll block the inter VLAN traffic between two VLANs through an ACL rule, but first we will create the access list. Next, we need to apply this access list in VLAN 154 SVI. This makes it to where both VLANs cannot communicate with each other. If we do not apply the access list in SVI, the case will not work. Step 4. ACL CasesScenario 1: No one can access VLAN 154 through 8080 port Scenario 2: Block ICMP from VLAN 154 Scenario 3: Support 888 port for 10.0.121.15 IP address Scenario 4: Show access list commands About PivIT GlobalPivIT Global provides the support you need through infrastructure, maintenance, and professional services. Contact us today to chat more about configuring an ACL in SVI environments or how we can support you through our third-party maintenance and professional services offerings.
VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example: Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method. I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list: SW1(config)#access-list 100 permit ip any host 192.168.1.100First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement! Next step is to create the VACL. Mine is called “NOT-TO-SERVER”. • Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic. As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded. SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…
Prerequisite – Virtual LAN (VLAN), Access-lists (ACL) VLAN ACL (VACL) – Procedure –
Configuration – There is a switch named switch1 which is connected to 3 routers named Router1 (IP address-192.168.1.1/24), Router2 (IP address-192.168.1.2/24), and Router3 (IP address-192.168.1.3/24) as shown in the figure. Configuring IP address on Router2. Router2(config)#int fa0/0 Router2(config-if)#ip address 192.168.1.2 255.255.255.0 Router2(config-if)#no shutConfiguring IP address on Router3. In this task, we will deny traffic from Router1 to Router3 using VACL. Configuring access-list on switch1 stating that all IP traffic should be allowed from host 192.168.1.1 to 192.168.1.3 switch1(config)#ip access-list extended My_access_list switch1(config-ext-nacl)#permit ip host 192.168.1.1 host 192.168.1.3Now, configuring VLAN access-map which states that match the IP address defined in access-list and take action of drop (which means traffic should not be allowed from 192.168.1.1 to 192.168.1.3). switch1(config)#vlan access-map Mapping 10 switch1(config-access-map)#match ip address My_access_list switch1(config-access-map)#action drop switch1(config-access-map)#exitIn the first command, 10 is the sequence number of the access map. If we do not define any sequence number then it will automatically take 10 as a sequence number. The traffic from Router2 to Router3 will also get drop because no action is defined for this traffic (implicit deny). Therefore, we have to define another rule stating that the other traffic should be allowed. switch1(config)#vlan access-map Mapping 20 switch1(config-access-map)#action forward switch1(config-access-map)#exitIn the first command, 20 is the sequence number which means this rule will be checked after the first rule having sequence number 10. At last, we will assign this access-map, named My_access_list, to a VLAN (here VLAN 1) switch1(config)#vlan filter Mapping vlan-list 1To verify the configuration, use the command. switch1#show vlan access-mapThis command will display the access map. This will display the name of the access-map, sequence number of the rule, and the access-list name (that has been used). switch1#show vlan filterThis will display the VLANs which are filtered by the VLAN access map. Article Tags : Practice Tags : |