ACLs (Access Control Lists) traditional, sometimes also called RACL (Router-based ACL) allow us to filter traffic that passes from one network to another, so in the case of VLANs, … the traffic that is routed from one VLAN to another. In no case, they do not allow you to filter the traffic that flows within a VLAN. Yet … it is feasible…
For this we appeal to VACLs (VLAN Access Control List), those, once applied to a VLAN will allow us to authorize or not the spread of a frame and possibly even to counter the logic of switching the switch by redirecting it toward a specific interface.
Here is how to configure these VACLs
The Topology

VLAN ACL
VLAN Access-List

Here we have three routers, which will be used here to single hosts in a VLAN.
  • R1: 192.168.0.1/24
  • R2: 192.168.0.2/24
  • R3: 192.168.0.3/24

The switch (C3750) Here is the single element interesting. In order to concentrate the config on the VACLs, all ports of the latter are placed in the VLAN10, in access mode.
Initial configuration of the switch
3750(config)#vlan 10
3750(config-vlan)#exit
3750(config)#interface range fastEthernet1/0/1-24
3750(config-if-range)#switchport mode access
3750(config-if-range)#switchport access vlan 10
3750(config-if-range)#spanning-tree portfast
3750(config-if-range)#exit

Small routine tests, R1,R2 and R3 must be able to communicate without problem…
 
R1#ping 192.168.0.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
 

R1#ping 192.168.0.3
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
 

R2#ping 192.168.0.3
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R2#
 
Let me now turn to the VACLs…
 
Objective of the configuration
 
whereas without VACLs, the three routers can communicate between them without problem, 
we are going to ensure that R1 can communicate with R2 and R3 … but that R2 and R3
cannot communicate between them.
 
Configuration of the VACL

In general, a VACL works on a principle similar to that of the road-maps. It is an ordered list of rules, each with a sequence number. For each of these rules we must identify the traffic corresponding to the aid of a clause "match", to which we will match an "action" which can be one of the following three:
·         Forward: traffic is treated normally following the logic of switching the switch.
·         drop: Traffic is dismissed.
·         Redirect: traffic is redirected to a specific interface, regardless of the switching logic of the switch.

The terms "match" use of ACLS (either IP or MAC). It is therefore by that is that we must begin.
Important Thing… like a classic ACL, the VACL reject everything that is not allowed. VACL a without rule "forward" will block all just all the traffic in the particular VLAN.

Step No.1: Create an ACL (Classic) to identify the traffic to treat

Attention to the confusion, the ACL is used here to identify a specific traffic. It must therefore be that a rule "permit" corresponds to what the have wishes to reject or authorize, independently of the action. Here, what we want to identify, c is the traffic between R2 and R3, because we want the block. So it must be a rule permit who matches.

3750(config)#ip access-list extended VLAN10
3750(config-ext-nacl)#permit ip host 192.168.0.2 host 192.168.0.3
3750(config-ext-nacl)#permit ip host 192.168.0.3 host 192.168.0.2
3750(config-ext-nacl)#exit
 
Step No. 2: Create the VACL to 
associate "match" to "action"
 
Therefore, we are going to create here a VLAN access map (the element that 
combines the matches with the actions), fitted with two rules. 
1.    The traffic corresponding to the ACL VLAN10 must be "drop"(Sequence No 10)
2.     The rest of the traffic must be "forward" (Sequence No. 20)
 
 
3750(config)#vlan access-map VMAP-VLAN10 10
3750(config-access-map)#match ip address VLAN10
3750(config-access-map)#action drop
3750(config-access-map)#exit
3750(config)#vlan access-map VMAP-VLAN10 20
3750(config-access-map)#action forward
3750(config-access-map)#exit
 
Step No. 3: Apply the at VACLS(x)
 VLAN(s) desired(s)
 
It remains only to apply these rules to the VLAN 10.
 
3750(config)#vlan filter VMAP-VLAN10 vlan-list 10
 
Test the configuration

If all goes as planned, a ping between R1 and R2, or between R1 and R3 should operate,
while between R2 and R3, the traffic should be blocked…
 
R1#ping 192.168.0.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
R1#


R1#ping 192.168.0.3
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R1#
 

R2#ping 192.168.0.3
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
 
 
Everything works as planned! So, we come well here to filter traffic within the VLAN10, 
something impossible with conventional ACLs.
 




 
 
Top