VACL: Restricting access using Vlan ACL.

VACL: Restricting access using Vlan ACL.

by Cyrus Lok on Tuesday, June 8, 2010 at 11:28pm
Create a list of traffic that you want to restrict the vlan to access, in this example I want to restrict vlan 30 and 40 from accessing ftp, www and telnet

3550-1(config)#ip access-list extended vacl-ftp-www-telnet
3550-1(config-ext-nacl)#permit tcp any any eq www
3550-1(config-ext-nacl)#permit tcp any any eq ftp
3550-1(config-ext-nacl)#permit tcp any any eq telnet

3550-1(config)#vlan access-map vlan-deny-access
3550-1(config-access-map)#match ip address vacl-ftp-www-telnet
3550-1(config-access-map)#action drop
3550-1(config-access-map)#exit

Apply the vacl to vlan(s)
3550-1(config)#vlan filter vlan-deny-access vlan-list 30 , 40

3550-1(config)#vlan filter vlan-deny-access vlan-list 20 ?
, comma
– hyphen

As you can see above, vlan ACL can be applied to one vlan or a range of vlan.

To verify:
3550-1#sh vlan filter
VLAN Map vlan-deny-access is filtering VLANs:
30,40

To verify vlan acl configuration:
3550-1#sh vlan access-map
Vlan access-map “vlan30-deny-ftp-www-telnet” 10
Match clauses:
ip address: vacl-ftp-www-telnet
Action:
drop
Vlan access-map “vlan-deny-access” 10
Match clauses:
ip address: vacl-ftp-www-telnet
Action:
drop

Advertisements
This entry was posted in Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s