Open In App

VLAN ACL (VACL)

Improve
Improve
Improve
Like Article
Like
Save Article
Save
Share
Report issue
Report

Prerequisite – Virtual LAN (VLAN), Access-lists (ACL) 

VLAN (Virtual LAN) is a concept in which we divide the broadcast domain into smaller broadcast domains logically at layer 2. If we create different VLANs then by default, a host from one VLAN can communicate with all the hosts residing in the same VLAN. If we want some hosts not able to reach other hosts within the same VLAN, then the concept of VLAN Access-list or Private VLAN can be used. (Access-list, is a set of various permit or deny conditions, used for packet filtering) 

VLAN ACL (VACL) – 

VLAN ACL is used to filter traffic of a VLAN (traffic within a VLAN i.e traffic for destination host residing in the same VLAN). All packets entering the VLAN are checked against the VACL. Unlike Router ACL, VACL is not defined in a direction but it is possible to filter traffic based on the direction of the traffic by combining VACLs and Private VLAN features. 

Procedure – 

  1. Define the standard or extended access list to be used in VACL – 
    An access list should be defined to identify the type of traffic and the hosts on which it is applied.
  2. Define a VLAN access map – 
    A VLAN access-map is defined in which hosts IP address will be matched (using the access-list defined)
  3. Configure an action clause in a VLAN access map sequence – 
    This will tell what action (forward or drop) should be taken on the traffic (defined in the VLAN access map)
  4. Apply the VLAN access map to the specified VLANs – 
    The last step in the configuration of VACL is to create a filter list specifying, on which VLAN the access map has been applied.
  5. Display VLAN access map information – 
    We can verify the information by using the command.

 VACLs are utilized for different purposes, including:

1. Security: VACLs can be utilized to control admittance to explicit VLANs, forestalling unapproved admittance to delicate organization assets. For instance, you can utilize a VACL to impede all traffic entering or leaving a VLAN, with the exception of approved clients.

2. Filtering: VACLs can be utilized to channel traffic in view of explicit models, for example, IP address or port number. This can assist with decreasing organization clog by restricting how much undesirable traffic on the organization.

3. Monitoring: VACLs can be utilized to screen network traffic entering or leaving a VLAN, giving perceivability into network movement. For instance, you can utilize a VACL to log all traffic entering or leaving a VLAN, making it conceivable to recognize potential security dangers or investigate network issues.

4. QoS: VACLs can be utilized to focus on network traffic entering or leaving a VLAN, guaranteeing that basic traffic gets the important data transfer capacity and diminishing the probability of blockage.

Configuration – 

There is a switch named switch1 which is connected to 3 routers named Router1 (IP address-192.168.1.1/24), Router2 (IP address-192.168.1.2/24), and Router3 (IP address-192.168.1.3/24) as shown in the figure. 

Configuring IP address on Router1. 

Router1(config)#int fa0/0
Router1(config-if)#ip address 192.168.1.1 255.255.255.0
Router1(config-if)#no shut

Configuring IP address on Router2. 

Router2(config)#int fa0/0
Router2(config-if)#ip address 192.168.1.2 255.255.255.0
Router2(config-if)#no shut

Configuring IP address on Router3. 

Router3(config)#int fa0/0
Router3(config-if)#ip address 192.168.1.3 255.255.255.0
Router3(config-if)#no shut

In this task, we will deny traffic from Router1 to Router3 using VACL. 

Configuring access-list on switch1 stating that all IP traffic should be allowed from host 192.168.1.1 to 192.168.1.3  

switch1(config)#ip access-list extended My_access_list
switch1(config-ext-nacl)#permit ip host 192.168.1.1 host 192.168.1.3 

Now, configuring the VLAN access-map which states that match the IP address defined in access-list and take action of drop (which means traffic should not be allowed from 192.168.1.1 to 192.168.1.3). 

switch1(config)#vlan access-map Mapping 10
switch1(config-access-map)#match ip address My_access_list
switch1(config-access-map)#action drop 
switch1(config-access-map)#exit

In the first command, 10 is the sequence number of the access map. If we do not define any sequence number then it will automatically take 10 as a sequence number. 
Now, for the traffic from Router1 (192.168.1.1) to Router3 (192.168.1.3), the traffic will be dropped but what about the traffic from Router2 to Router3? 

The traffic from Router2 to Router3 will also get drop because no action is defined for this traffic (implicit deny). Therefore, we have to define another rule stating that the other traffic should be allowed.  

switch1(config)#vlan access-map Mapping 20
switch1(config-access-map)#action forward 
switch1(config-access-map)#exit

In the first command, 20 is the sequence number which means this rule will be checked after the first rule having sequence number 10. 

At last, we will assign this access-map, named My_access_list, to a VLAN (here VLAN 1) 

switch1(config)#vlan filter Mapping vlan-list 1

To verify the configuration, use the command. 

switch1#show vlan access-map

This command will display the access map. This will display the name of the access-map, sequence number of the rule, and the access-list name (that has been used).  

switch1#show vlan filter

This will display the VLANs which are filtered by the VLAN access map.

Advantages

  • Security: VLAN ACLs can be used to control access to network resources by filtering traffic based on source and destination IP addresses, protocol type, and port numbers. This helps in securing the network against unauthorized access, and can prevent attacks such as denial-of-service (DoS) attacks and unauthorized access to sensitive data.
  • Increased Performance: By filtering traffic at the VLAN level, VLAN ACLs can reduce the amount of traffic that passes through the network, thus improving network performance and reducing network congestion.
  • Enhanced Network Segmentation: VLAN ACLs enable administrators to define security policies and restrict access to specific VLANs based on the type of user or device. This provides enhanced network segmentation, which is essential for larger networks with multiple departments, groups or tenants.
  • Improved QoS: VLAN ACLs can be used to prioritize network traffic and assign different levels of quality of service (QoS) to different types of traffic, such as voice or video traffic.

Disadvantages

  • Complexity: Configuring VLAN ACLs can be complex, especially for large networks with multiple VLANs and complex security policies. This can lead to errors and misconfigurations, which can impact network performance and security.
  • Overhead: Implementing VLAN ACLs can introduce additional overhead to the network, as traffic needs to be analyzed and filtered at each VLAN. This can reduce network performance and increase latency.
  • Maintenance: VLAN ACLs require regular maintenance and updates, as network traffic patterns and security policies change over time. This can be time-consuming and require specialized skills.
  • Resource Intensive: Implementing VLAN ACLs can require additional hardware resources, such as dedicated firewalls or switches with built-in ACL capabilities, which can increase the overall cost of the network.

Last Updated : 05 May, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments