So it ended up I decided to do a recap on VLAN access control lists (ACL’s) before I got back into Spanning Tree. I also covered Private VLAN’s tonight but will come back to them some other time for the blog.
Over the years I have had lots of dealing with port and router based ACL’s, but VLAN based ACL’s I only came across when I started studying for my CCNP. And I already have plans to use them to limit the traffic on some of our more sensitive network segments.
Now if you know you VACL set up, here is the point to stop reading, what follows is a run through of the config, with some description of the steps.
Still with me? OK lets get to it.
The first step in creating a VACL’s is in fact to create some “standard” ACL’s first, these will be used to classify what traffic is filtered once the VACL is applied. the VACL will accept two types of access lists as arguments IP and MAC, so lets set some up.
(config)#access-list 100 permit ip host 188.8.131.52 any
(config)#mac access-list extended MAC-ACL
(config-ext-mac)#permit any host b7d4.5f6d.8e31
So two simple ACL’s created, now you can you the IP access list command and create named access lists as will if you wish.
So now we need to create the VACL and add these lists to it.
(config)#vlan access-map <name> 10
(config-map)#match ip address 100
(config-map)#vlan access-map <name> 20
(config-map)#match mac-address MAC-ACL
(config-map)#vlan access-map <name>30
Notice by default if a VACL is configured on a VLAN is a packet does not match the VACL it will be dropped. As we can see each section in the VACL has a sequence number, a match statement (can have more than one) and an action to take. In this set up any traffic that matches the two ACL’s we set up will be dropped. By adding a sequence with out any match statement and only an action, we have set up a “catch all” situation, just like you may do with a “standard ACL when you enter “permit any any”.
So there we have it the VACL all set up and ready to go, now its just a case of applying it to a VLAN or two.
(config)#vlan filter <name> vlan-list 10
And there you have it, now any traffic passing across the switch on the configured VLAN’s will be subject to the statements in you VACL. I think there great for adding that extra layer of security to your network, and keeping traffic where it should be.
OK so not an exciting post tonight, but I will get back to STP tomorrow and I can tell you from past experience how not to configure it.
Night all and take care.