Filtering the VLAN Traffic

So it ended up I decided to do a recap on VLAN access control lists (ACL’s) before I got back into Spanning Tree. I also covered Private VLAN’s tonight but will come back to them some other time for the blog.

Over the years I have had lots of dealing with port and router based ACL’s, but VLAN based ACL’s I only came across when I started studying for my CCNP. And I already have plans to use them to limit the traffic on some of our more sensitive network segments.

Now if you know you VACL set up, here is the point to stop reading, what follows is a run through of the config, with some description of the steps.

Still with me? OK lets get to it.

The first step in creating a VACL’s is in fact to create some “standard” ACL’s first, these will be used to classify what traffic is filtered once the VACL is applied. the VACL will accept two types of access lists as arguments IP and MAC, so lets set some up.

(config)#access-list 100 permit ip host 172.168.5.5 any

(config)#mac access-list extended MAC-ACL
(config-ext-mac)#permit any host b7d4.5f6d.8e31

So two simple ACL’s created, now you can you the IP access list command and create named access lists as will if you wish.

So now we need to create the VACL and add these lists to it.

(config)#vlan access-map <name> 10
(config-map)#match ip address 100
(config-map)#action drop
(config-map)#vlan access-map <name> 20
(config-map)#match mac-address MAC-ACL
(config-map)#action drop
(config-map)#vlan access-map <name>30
(config-map)#action forward

Notice by default if a VACL is configured on a VLAN is a packet does not match the VACL it will be dropped. As we can see each section in the VACL has a sequence number, a match statement (can have more than one) and an action to take. In this set up any traffic that matches the two ACL’s we set up will be dropped. By adding a sequence with out any match statement and only an action, we have set up a “catch all”  situation, just like you may do with a “standard ACL when you enter “permit any any”.

So there we have it the VACL all set up and ready to go, now its just a case of applying it to a VLAN or two.

(config)#vlan filter <name> vlan-list 10

And there you have it, now any traffic passing across the switch on the configured VLAN’s will be subject to the statements in you VACL. I think there great for adding that extra layer of security to your network, and keeping traffic where it should be.

OK so not an exciting post tonight, but I will get back to STP tomorrow and I can tell you from past experience how not to configure it.

Night all and take care.

5 thoughts on “Filtering the VLAN Traffic

    • Hi,

      I be posting writing up some more posts on Spanning tree soon along with more routing stuff, but if you want specific VLAN information, let me know and I will see what I can do. Theres a thousand posts in ym head, Been busy few weeks, finishing up one job and preparing for another. But expect the post count to start rising again soon.

  1. Hi

    So I have been having serious problems with this.. According to the CCNP:Switch Exam Prep Guide the follwoing should be OK..

    (config)#>IP access-list 10 permit 192.168.1.0 0.0.0.255

    (config)#>van access-map PASS 10
    (config-map)>match ip address 10
    (config-map)>action forward
    (config-map)>van access-map PASS 20
    (config-map)>action drop

    (config)#>vlan filter PASS vlan 10

    As soon as I do this all traffic stops and even spanning tree starts to flap on VLAN 10.

    I seriously need help to explain what I am doing wrong.. I tried this on multiple switchs and its always the same.

    Help!

  2. So i assume what you are trying to do is block all traffic on VLAN 10 unless it is from the subnet 192.168.1.0 /24

    yes?

    but what about traffic sent to the subnet 192.168.1.0 /24

    (config)#>IP access-list 10 permit 192.168.1.0 0.0.0.255

    this only captures traffic with a source address of 192.168.1.0 /24 returning traffic is not being picked up. So yes your filter will apear to block all traffic

    you want to used extended ACL’s and have

    permit ip any 192.168.1.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 any

    now traffic can flow both ways and the filter should work.

    Let me know

  3. i have a question (muffled cry for help) i need to create a network for my networking principles class and am stumped… missed a few weeks classes from illness. i need to set up a network that spans across 3 rooms in a uni… 1 has full access to uni network, one has only web access to the main university network and the internet, and one has only internet access. how do i go about differentiating between the 3 rooms and traffic types, and how do you grant web access only to a network. (which im assuming means the network files and not the routers and switches).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>