VLAN Access Control Lists configuration on Cisco Switch

In this post I will cover Vlan access control lists (VACLs), is also called VLAN access Map or VLAN Map. A VLAN Access-map allows us to filter incoming and outgoing traffic in a switch VLAN. VLAN access-list configuration is very similar to the Route-map configuration.

You have to place the Vlan access-map on the whole Vlan When you want to filter traffic that is moving from one VLAN to anotherVLAN, which means that the incoming and outgoing traffic in a Vlan are filterd by the VLan access-map. We can apply a VLAN access-map to a Layer3 access-list and also to a mac access-list.

We know that the usual access control list (ACL), which is the most well known concept, has an implied DENY IP ANY ANY at the end. Of course, a VACL has the same implied deny statement, but this is not recommended, because a normal ACL checks only Layer 3 packet traffic, therefore it doesn’t block Layer 2 protocols like STP, VTP, ARP etc. On the other hand, a VLAN access-map blocks L2 protocols (in addition to Layer3), if we don’t explicitly allow them. That’s why it’s not recommended to have an implicit deny all at the end.

Cisco VLAN Access Control Lists Configuration Example

Let’s find the below example, we have two Routers R1 and R2 & two Switches SW1 and SW2. Notice the Fast Ethernet interfaces of R1 and R2 are within the same VLAN (VLAN 10). So, based on the theory we have discussed, we will need a VACL if we want to filter the ability of R1 to communicate with R2. For this experiment, let us use Telnet. Before we begin, let me try Telnetting from R1 to R2. We want to ensure that works before we try and prevent that capability with a VACL.







Check a Service Before Blocking With VACL

1. Before starting configuration, let’s check if telnet works from R1.

Trying … Open
User Access Verification
[Connection to closed by foreign host]

As we see, telnet is working fine and we can able to connect other end Router R2.  So now we need to place VLAN access-map configuration which will block telnet and permit everything else. Let us be very specific and create a VACL that denies the ability of R1 to Telnet to R2. Notice, we want to be very specific, other services will not effected and should work correctly.

Define a Exact Traffic in Access Control List

2. I begin the scenario configuration with an Access Control List that will define the exact traffic we are interested in preventing. Notice I am using a permit Access Control List Entry (ACE) to specify the traffic, but I will end up denying it later on in the VACL structure.

Cisco-Switch-2(config)#ip access-list extended  restrict_telnet_R1_R2
Cisco-Switch-2(config-ext-nacl)#permit tcp host host eq 23

Configure VLAN Access Map

3. After this we’ll create a vlan access-map, which has two main parameters: action and match.

Match: by this parameter the interesting traffic is matched and here RACL or MAC ACL can be applied as well.

Action: what to do with matched traffic. Two main parameters exist: Drop and Forward. In case of Drop, matched traffic will be dropped, and in case of forward, matched traffic will be allowed. Also, on High-End devices, a Redirect and Capture parameters also exist in the Action statement.

In our case we must block matched traffic and permit all the rest.

Cisco-Switch-2 (config-ext-nacl)#vlan access-map VACL 10
Cisco-Switch-2 (config-access-map)#action drop
Cisco-Switch-2 (config-access-map)#match ip address restrict_telnet_R1_R2
Cisco-Switch-2 (config-access-map)#vlan access-map VACL 20
Cisco-Switch-2 (config-access-map)#action forward
Cisco-Switch-2 (config-access-map)#exit

Apply VLAN Access Map to Specfic VLAN

4. After creating the VLAN access-map, it should be applied to a VLAN or VLANs. In this case we’ll apply it to VLAN 10 which is specified by “vlan-list 10”.

Cisco-Switch-2 (config)#vlan filter VACL vlan-list 10

Check VLAN Access Control List Status

5. Now configuration finished. Let’s see if telnet is blocked and ping works.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Trying …
% Connection timed out; remote host not responding
As we see, ping is okay from Router R1 to Router 2 but telnet is blocked as we planned.

Filed Under: VLAN/VTP


About the Author:

RSSComments (2)

Leave a Reply | Trackback URL

  1. B says:

    “That’s why it’s recommended to have an implicit deny all at the end.”
    I think you meant, “That’s why it’s not recommended”…

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.