VLAN ACL (VACL)
Prerequisite – Virtual LAN (VLAN), Access-lists (ACL)
VLAN (Virtual LAN) is a concept in which we divide the broadcast domain into smaller broadcast domains logically at layer 2. If we create different VLANs then by default, a host from one VLAN can communicate with all the hosts residing in the same VLAN. If we want some hosts not able to reach other hosts within the same VLAN, then the concept of VLAN Access-list or Private VLAN can be used. (Access-list, is a set of various permit or deny conditions, used for packet filtering)
VLAN ACL (VACL) –
VLAN ACL is used to filter traffic of a VLAN (traffic within a VLAN i.e traffic for destination host residing in the same VLAN). All packets entering the VLAN are checked against the VACL. Unlike Router ACL, VACL is not defined in a direction but it is possible to filter traffic based on the direction of the traffic by combining VACLs and Private VLAN features.
- Define the standard or extended access list to be used in VACL –
An access list should be defined to identify the type of traffic and the hosts on which it is applied.
- Define a VLAN access map –
A VLAN access-map is defined in which hosts IP address will be matched (using the access-list defined)
- Configure an action clause in a VLAN access map sequence –
This will tell what action (forward or drop) should be taken on the traffic (defined in the VLAN access map)
- Apply the VLAN access map to the specified VLANs –
The last step in the configuration of VACL is to create a filter list specifying, on which VLAN the access map has been applied.
- Display VLAN access map information –
We can verify the information by using the command.
There is a switch named switch1 which is connected to 3 routers named Router1 (IP address-192.168.1.1/24), Router2 (IP address-192.168.1.2/24), and Router3 (IP address-192.168.1.3/24) as shown in the figure.
Configuring IP address on Router1.
Router1(config)#int fa0/0 Router1(config-if)#ip address 192.168.1.1 255.255.255.0 Router1(config-if)#no shut
Configuring IP address on Router2.
Router2(config)#int fa0/0 Router2(config-if)#ip address 192.168.1.2 255.255.255.0 Router2(config-if)#no shut
Configuring IP address on Router3.
Router3(config)#int fa0/0 Router3(config-if)#ip address 192.168.1.3 255.255.255.0 Router3(config-if)#no shut
In this task, we will deny traffic from Router1 to Router3 using VACL.
Configuring access-list on switch1 stating that all IP traffic should be allowed from host 192.168.1.1 to 192.168.1.3
switch1(config)#ip access-list extended My_access_list switch1(config-ext-nacl)#permit ip host 192.168.1.1 host 192.168.1.3
Now, configuring VLAN access-map which states that match the IP address defined in access-list and take action of drop (which means traffic should not be allowed from 192.168.1.1 to 192.168.1.3).
switch1(config)#vlan access-map Mapping 10 switch1(config-access-map)#match ip address My_access_list switch1(config-access-map)#action drop switch1(config-access-map)#exit
In the first command, 10 is the sequence number of the access map. If we do not define any sequence number then it will automatically take 10 as a sequence number.
Now, for the traffic from Router1 (192.168.1.1) to Router3 (192.168.1.3), the traffic will be dropped but what about the traffic from Router2 to Router3?
The traffic from Router2 to Router3 will also get drop because no action is defined for this traffic (implicit deny). Therefore, we have to define another rule stating that the other traffic should be allowed.
switch1(config)#vlan access-map Mapping 20 switch1(config-access-map)#action forward switch1(config-access-map)#exit
In the first command, 20 is the sequence number which means this rule will be checked after the first rule having sequence number 10.
At last, we will assign this access-map, named My_access_list, to a VLAN (here VLAN 1)
switch1(config)#vlan filter Mapping vlan-list 1
To verify the configuration, use the command.
switch1#show vlan access-map
This command will display the access map. This will display the name of the access-map, sequence number of the rule, and the access-list name (that has been used).
switch1#show vlan filter
This will display the VLANs which are filtered by the VLAN access map.