Filtering traffic with vlan access list

Topology

vacl1

Lab setup

  1. Linux 2 belongs to vlan 10. Linux 3 and 4 belong to vlan 20.
  2. Router is the dhcp server for vlan 10 and 20.
  3. A default route goes from Router to the internet where the web application DVWA resides.
  4. VLAN 10 subnet 10.10.10.0/24 and VLAN 20 subnet 10.20.20.0/24.

Damn Vulnerable Web Application (DVWA)

The web app is accessed from Linux 2 which belongs to vlan 10.

dvwa_1

Lab objective

Use vlan access list to prevent hosts from vlan 20 from accessing DVWA.

Linux 3 – 10.20.20.3, Linux 4 – 10.20.20.4, Linux 2 – 10.10.10.2

Lab Configuration

    1. Define access list to block.
ip access-list extended block_vlan20_dvwa
 permit tcp 10.20.20.0 0.0.0.255 host 172.16.10.21 eq www

    1. Define access list to allow others.

ip access-list extended allowed-others
 permit ip any any
    1. Define vlan access-map

vlan access-map vacl20 10
 match ip address block_vlan20_dvwa
 action drop
vlan access-map vacl20 20
 match ip address allowed-others
 action forward

Line 10 is to drop traffic from vlan 20 subnet to DVWA. Line 20 is to allow the rest.

    1. Apply Vlan access-map to vlan 20

vlan filter vacl20 vlan-list 20

Result
Vlan 10 can access DVWA, VLAN 20 however cannot.

dvwa2

dvwa3.png

Advertisements
This entry was posted in General stuffs, Security, Switch, Vlan and tagged , . Bookmark the permalink.

One Response to Filtering traffic with vlan access list

  1. Brijesh Patel says:

    Hi,

    It is good efforts but basically article will be more useful if it is expalin why we need and description or info about command

    Thanks

    Brijesh Patel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s