VLAN access control VACL


 

Whenever we want to filter traffic that is moving between different subnets (different vlans) we normally use access-list however when we want to filter traffic that is flowing within one subnet (one vlan) the best way to approach it is to use VLAN access control

list VACL

 

VACL

R1 and R2 should be able to communicate with each other without any problems :

 

R1#telnet 10.10.10.2 Trying 10.10.10.2 … Open

User Access Verification

Password:

R2>quit

[Connection to 10.10.10.2 closed by foreign host] R1#

 

 

so let’s denies telnet traffic from R1 going to  to R2

SW2(config)#ip access-list extended TELNETR1_R2
SW2(config-ext-nacl)#permit tcp host 10.10.10.1 host 10.10.10.2 eq 23

SW2(config-ext-nacl)#vlan access-map STOPTELNETR1_R2
SW2(config-access-map)#action drop
SW2(config-access-map)#match ip address TELNETR1_R2
SW2(config-access-map)#vlan access-map STOPTELNETR1_R2
SW2(config-access-map)#action forward
SW2(config-access-map)#exit

SW2(config)#vlan filter STOPTELNETR1_R2 vlan-list 10

 

Test:

R1#ping 10.10.10.2

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !!!!!

 

R1#telnet 10.10.10.2
Trying 10.10.10.2 …
% Connection timed out; remote host not responding

 

Pings goes through without any issues due to “action forward” on the switch however telnet fails due to “action drop” so it looks like it’s working

 

 

 

 

Advertisements

About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

4 Responses to VLAN access control VACL

  1. Alexandre says:

    hello, i’m preparing CCNP Switch and i need to implement vacl… What is ios image you use to realize this lab. Thanks

    • ccie4all says:

      Hello Alexandre !

      Apologize for the late reply !
      When I was preparing for my CCNP switch I was fortunate enough to borrow 5 switches home from my company. Unfortunately becaue L2 switches are ASIC based in other words it is a hardware chip that determines what port to forward data to where with routers practically everything is done based on routers IOS so the only option is to even borrow or purchase.

      I would highly recommend purchase simply because you will most definitely need it when preparing for the CCIE level exam.

      Cheers!
      Tom

      • Alexandre says:

        Thank you, i pass my CCNP Switch today and i pass it with 890. I prepare now my CCNP ROUTE but i give myself 4 months to be ready, any advice can be helpful.
        Thank you

      • ccie4all says:

        hi Alexandre,

        Congratulations ! Certainly , please should if you need any help whatsoever with the CCNP Routing/Tshoot track !

        Cheers
        Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: