Vlan – Virtual LAN
ACL – Access Control List
This article will help manage data flows within a Vlan.
As I have repeated pleiiiiiins of times:
1 Vlan – 1 Network Address Beach!
But how do we make sure that our Vlan only supports the network we've defined?
– I have a Switch and two customers.
– I decide that the Vlan 10 will be my Vlan Client.
– The Vlan 10 supports the network 192.168.10.0 /24
– So that my customers can change ports as they choose, I choose to put all my ports in the Vlan 10:
(We agree, a bad decision has been made at the security level)
SW-01 (config) - range interface fa 0/1 - 24 SW-01 (config-range) - CLIENTS description SW-01 (config-range) - switchport mode access SW-01 (config-range) - switchport access vlan 10
Imagine that two trainees want to make a small Counter-stike in local 🙂
They just have to:
– Connect to the switch,
– Make sure you're in the same Vlan,
– Choose a random network address range and you're played 😉
(They don't have a gateway and they can't argue with others, but for what they want to do, it doesn't matter)
We can't block them with LCAs on the VLAN interface because they never go questioned, they're not part of the same network. So how do we do that?
VacLs are put in place !!!!!
– Filter internal flows to vlan
– 1 Vlan – 1 Subnet
– ACLs applied to Vlans interfaces cannot filter internal streams to a vlan
Where to apply my VACL?
– On all Level 2 and 3 Switches that supports the vlan concerned
The Vlan 10 carries the network 192.168.10.0 /24
I want my vlan to only support this network
Switch (config) ip access-list extended VLAN10 Switch (config-acl) - permit ip 192.168.10.0 0.0.0.0.255 any Switch (config-acl) - exit Switch (config) vlan access-map MAP-VLAN10 10 Switch (config-access-map) - match ip address VLAN10 Switch (config-access-map) - action forward Switch (config-access-map) Switch (config) vlan access-map MAP-VLAN10 20 Switch (config-access-map) - action drop Switch (config-access-map) Switch (config) vlan filter MAP-VLAN10 vlan-list 10
Step 1: Create an ACL
To put an ACL on a Vlan, you first have to create this access-list !!!
Switch (config) ip access-list extended VLAN10 Switch (config-acl) - permit ip 192.168.10.0 0.0.0.0.255 any Switch (config-acl) - exit
You can create access-lists:
For more details on ACLs, I'll give you an appointment on the Article on Access-list.
Step 2: Create an Access-map
Switch (config) vlan access-map [ map-name ] [ Numéro de séquence ]
map-name – Name of the access-map, it's up to you!
Sequence number – As with an ACL, our access-map will have a sequence number.
– I'm looking at sequence 1 – The frame where the package is concerned? no
– I'm looking at sequence 2 – The frame where the package is concerned? no
– I'm looking at sequence 3 – The frame where the package is concerned? no
– I'm looking at sequence 4 – The frame where the package is concerned? yes
I stop looking at the other sequences and I do what the access-list or the access-map asks me to do.
Step 3: Apply ACL to Access-Map
Switch (config-access-map) - match ip address [ ACL-name | ACL-number ] Switch (config-access-map) - match mac address [ ACL-number ]
Step 4: Choose what to do with this frame/package
Switch (config-access-map) [ drop | forward ]
– Drop – I put the frame in the trash
– Forward – I transmit the frame normally
Step 5: Apply Access-Map to a Vlan
Switch (config) vlan filter[map-name] vlan-list [Numero de vlan]
When are VACL applied?
Hoping this article has been helpful to you! Don't hesitate to let me know!!
This site has other network items, take the opportunity to browse the menu bar!