E N D
The steps involved in implementing VLAN access lists:1. Define VLAN Access Map. To define a VLAN access-map use the command:Switch(config)# vlan access-map <map-name) [sequence-number].Access map statements are performed according to the sequence number.2. Define matching conditions to identify traffic to be filtered. Use the access-map configuration command:Switch(config-access-map)# match {ip address {acl-address {<acl-number> |<acl name>}} | {mac address <acl-name>}3. Define the action to be performed on the filtered traffic. Use the command:Switch(config-access-map)# action {drop | forward [capture] | redirect <interface type> <mod>/<num>}4. Apply the VACL to a VLAN interface. Use the global configuration command:Switch(config)# vlan filter <map-name> vlan-list <list-of-vlans-here>
Scenario Fa0/3 Fa0/1 • Build and configure network • Create VLAN 100 on switch. • Client pool of addresses 192.168.100.1-192.168.100.254 • Allow Accounting Supervisors (Hosts 192.168.100.9-15/24) to reach the Accounting Server (192.168.100.254) • Block all other clients in the designated pool from reaching the server • Allow ALL other clients outside of the designated pool to reach the server 192.168.100.9/24 192.168.100.254/24
VLAN Map Configuration Steps • Create named extended ACLs to identify source traffic An ‘allow’ address range‘ A ‘block’ address range The ‘default’ address range (all other traffic) Identify traffic from specific to general • Create VLAN Maps using numbered compound statements The numbered statements are executed in ascending order and identify the appropriate action for each address range: (action forward, action drop) 3. Apply the VLAN Map using a VLAN filter Identify the VLAN Map name and corresponding VLAN to be filtered.
Create named Extended ACLs Use specific Information for authorized traffic Allow Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www
Create named Extended ACLs Use specific Information for authorized traffic Allow-----Block Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www Switch(config)#ip access-list extended BlockAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq www
Create named Extended ACLs • Use specific Information for authorized traffic • Allow-----Block-----Default Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www Switch(config)#ip access-list extended BlockAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq www Switch(config)#ip access-list extended DefaultAcctTraffic Switch(config-ext-nacl)#permit ip any any
Create VLAN Access Map Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit
Create VLAN Access Map Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit Switch(config)# vlan access-map AcctTrafficMap 20 Switch(config-access-map)# match ip address BlockAcctTraffic Switch(config-access-map)#action drop Switch(config-access-map)#exit
Create VLAN Access Map Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit Switch(config)# vlan access-map AcctTrafficMap 20 Switch(config-access-map)# match ip address BlockAcctTraffic Switch(config-access-map)#action drop Switch(config-access-map)#exit Switch(config)# vlan access-map AcctTrafficMap 30 Switch(config-access-map)# match ip address DefaultAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#end
Create VLAN Filter & Apply to correct VLAN Switch(config)#vlan filter AcctTrafficMap vlan-list 100 To verfiy: show vlan filter
Corresponding parts-AllowNamed ACL & VLAN Map Allow Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www . . . . . Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit . . . . . Switch(config)#vlan filter AcctTrafficMap vlan-list 100
Corresponding parts-BlockNamed ACL & VLAN Map Block Switch(config)#ip access-list extendedBlockAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www . . . . . Switch(config)# vlan access-map AcctTrafficMap 20 Switch(config-access-map)# match ip addressBlockAcctTraffic Switch(config-access-map)#action drop Switch(config-access-map)#exit . . . . . Switch(config)#vlan filter AcctTrafficMap vlan-list 100
Corresponding parts-DefaultNamed ACL & VLAN Map Default Switch(config)#ip access-list extendedDefaultAcctTraffic Switch(config-ext-nacl)#permit ip any any . . . . . Switch(config)# vlan access-map AcctTrafficMap 30 Switch(config-access-map)# match ip addressDefaultAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit . . . . . Switch(config)#vlan filter AcctTrafficMap vlan-list 100
Verify Configuration---Test Connectivity To verify configuration, use show vlan access-map To test connectivity or blocked connectivity Add clients with appropriate IP addresses or use extended ping commands