Filtering traffic with vlan access list

Topology

vacl1

Lab setup

  1. Linux 2 belongs to vlan 10. Linux 3 and 4 belong to vlan 20.
  2. Router is the dhcp server for vlan 10 and 20.
  3. A default route goes from Router to the internet where the web application DVWA resides.
  4. VLAN 10 subnet 10.10.10.0/24 and VLAN 20 subnet 10.20.20.0/24.

Damn Vulnerable Web Application (DVWA)

The web app is accessed from Linux 2 which belongs to vlan 10.

dvwa_1

Lab objective

Use vlan access list to prevent hosts from vlan 20 from accessing DVWA.

Linux 3 – 10.20.20.3, Linux 4 – 10.20.20.4, Linux 2 – 10.10.10.2

Lab Configuration

    1. Define access list to block.
ip access-list extended block_vlan20_dvwa
 permit tcp 10.20.20.0 0.0.0.255 host 172.16.10.21 eq www

    1. Define access list to allow others.

ip access-list extended allowed-others
 permit ip any any
    1. Define vlan access-map

vlan access-map vacl20 10
 match ip address block_vlan20_dvwa
 action drop
vlan access-map vacl20 20
 match ip address allowed-others
 action forward

Line 10 is to drop traffic from vlan 20 subnet to DVWA. Line 20 is to allow the rest.

    1. Apply Vlan access-map to vlan 20

vlan filter vacl20 vlan-list 20

Result
Vlan 10 can access DVWA, VLAN 20 however cannot.

dvwa2

dvwa3.png

One thought on “Filtering traffic with vlan access list

  1. Hi,

    It is good efforts but basically article will be more useful if it is expalin why we need and description or info about command

    Thanks

    Brijesh Patel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s