Thursday, November 18, 2010

Virtual Access Control List

ACL can be used to filter traffic from different VLAN, however it cannot filter traffic from the same VLAN. In order to make this condition possible Virtual ACL (VACL) needs to be implemented.

For example, we want to block 4 users with the IP of 172.10.10.0/24 to communicate to other hosts.

First we need to implement access-lists by “(config)#ip access-list extended BLOCK4IP”

“(config-ext-nacl)#permit ip 172.10.10.0 0.0.0.4 172.10.10.0 0.0.0.255” and yes, it is permit, not deny, because we will define this list later in another command. The traffic that we want to filter, needs to be identified here.

Then we create the map to match the access-list made before and then block the traffic coming from that access-list. We do this by:

“(config)#vlan access-map NO_4IP 10” 10 here is the sequence number of this command to be read by the switch. If there is another command with the sequence number lower than that e.g.5, then that command will be read first. Then we match the IP address list using the acl generated before

“(config-access-map)#match ip address BLOCK4IP”

“(config-access-map)#action drop” (to drop the packet that match addresses from the acl BLOCK4IP

Then we need to forward all other iP’s other than the 4 ip addresses generated before using the command:

“(config)#vlan access-map NO_4IP 20” where we want to implement this command after the 4 ip addresses is being blocked first (sequence number = 10 is being read first). Then put the command “(config-access-map)#action forward”. If we want to implement another command between it, we can do it directly and it will be directly applied as long as we put it in the sequence between 10 and 20.

Then we need to apply the VACL not it a specific interface but in the global configuration mode. The command to apply the VLAN map is “(config)#vlan filter NO_4IP vlan 100” (suppose that we want to apply it in vlan 100)

Note that VACL act like ACL where it has an implicit deny at the end, so if the traffic is not explicitly forwarded, it will be dropped. Also, one VACL can be applied to only one VLAN.

No comments:

Post a Comment