An example of how to configure an ACL to ensure the VLAN security of a vswitch. I would like to introduce the VLAN security problem of a vswitch to you. Many people may not understand the VLAN security problem of the vswitch. It does not matter. After reading this article, you will surely have a lot of GAINS, I hope this article will teach you more things.
As you know, ACL is a rule table. The switch executes these rules in sequence and processes each packet that enters the port. Each rule is either "Allowed" or "Denied" data packets based on the packet attributes (such as the source address, destination address, and Protocol. The access list can control the data flow through the vswitch. ACL
Access input and output control ensures that network devices are not illegally accessed or used as attack springboards.
Configure a VLAN for a vswitch
Switch (config) # vlan access-map test1
// Define a vlan accessmap named test1
Switch (config-vlan-access) # match ip address 101
// Set the matching rule to acl 101
Switch (config-vlan-access) # action forward
// Set forward after matching)
Switch (config) # vlan access-map test2
// Define a vlan accessmap named test2
Switch (config-vlan-access) # match ip address 102
// Set the matching rule to acl 102
Switch (config-vlan-access) # action forward
// Set forward after matching)
Apply VACL
Switch (config) # vlan filter test1 vlan-list 10
// Apply test1 configured above to vlanl0
Switch (config) # vlan filter test2 vlan-list 20
// Apply test2 configured above to vlan20
How to configure the VLAN security of a private Switch
Define secondary VLAN10, 20, and 30
Switch (config) # vlan 10
Switch (config-vlan) # private vlan community
Define primary VLANIO0 and establish relationships with all auxiliary VLANs
Switch (config) # vlan 100
Switch (config-vlan) # private vlan community
Switch (config-vlan) # private vlan association 10, 20, 30
Define the port mode in the VLAN security issue of the private switch as Host or Promiscuous, and configure the association or ing.
Switch (config-if) # switchport mode private host
Switch (config-if) # switchport mode private host-association 100 30