duminică, 5 noiembrie 2017

VLAN ACLs

When it comes to L3 switches, there is no problem to apply ACLs when filtering inter-VLAN traffic, but we have an issue when we want to filter intra-VLAN traffic. This means we can’t use ACLs to filter traffic between hosts in the same VLAN.
This is where VLAN ACLs come in handy.
The NM-16ESW module and the vIOS image i have in my GNS3 environment don’t offer support for this feature, this means real gear will be required in order to configure this lab. I used three Catalyst 3550 switches which i connected as shown in the below topology.



Topology
Initial configuration
The VLAN 10 in transported across all three switches, and i raised SVI interfaces which were configured with IP addresses from the 192.168.10.0/24 network. Switch 1 has 192.168.10.1, Switch 2 has 192.168.10.2 and Switch 3 has 192.168.10.3. You get the picture, we have three hosts in the same broadcast domain.
The purpose is to configure a VLAN ACL on Switch 1 to block the traffic between Switches 1 and 3, but allowing the Switches 1 and 2 to communicate.
Configuring the lab
We start by configuring an ACL to identify the traffic which will be dropped.
Switch_1(config)#ip access-list extended ACL_BLOCK_S3
Switch_1(config-ext-nacl)#10 permit ip host 192.168.10.3 host 192.168.10.1
After this, from the global mode, we will configure an access-map to establish the actions which will be taken against the prefix identified by this ACL.
Switch_1(config)#vlan access-map NO_S3
Switch_1(config-access-map)#match ip address ACL_BLOCK_S3
Switch_1(config-access-map)#action drop
We will continue the configuration by allowing the rest of the traffic.
Switch_1(config-access-map)#exit
Switch_1(config)#vlan access-map NO_S3        
Switch_1(config-access-map)#action forward
Now that we have our VLAN ACL configured, all we have to do next is to apply it.
In order to do that we exit yet again to the global and from there we use the vlan filter command, which will make refrence to the VLAN ACL configured above and will identify the VLAN’s on which it will be applied.
Switch_1(config-access-map)#exit
Switch_1(config)#vlan filter NO_S3 vlan-list 10
We test the configuration by sending a ping from Switch 1 to Switch 3. If the ping drops then the configuration succeeded.
Next, we issue a ping from Switch 1 to Switch 2, which will have to work if everything is ok.
And this is all for this lab.
Cheers! :)

Niciun comentariu :

Trimiteți un comentariu

Abonați-vă la: Postare comentarii ( Atom )