Cisco Access Control List (how to isolate vlan, acl, and vacl)

What is the difference between an acl and a vacl between a cisco vlan, its implementation method is to apply the ACL directly to the virtual port of the VLAN, which is the same as the ACL implementation method applied to the physical port. The VLAN access control (VACL), also known as the VLAN access ing table, is implemented in a different way than the former. It is applied to all communication streams in a VLAN. It supports Filtering Based on ETHERTYPE and MAC address to prevent unauthorized data streams from entering the VLAN. Currently, three VACL operations are supported: forward, drop, and redirect ). Www.2cto.com
VACL is rarely used. Pay attention to the following points during configuration: 1) the last hiding rule is deny ip any, which is the same as ACL. 2) VACL is different from inbound and outbound. 3) if the ACL list contains permit and the VACL is drop, the data stream is dropped.
4) The VACL rules are applied before NAT. 5) One VACL can be used in multiple VLANs, but one VLAN can only be associated with one VACL. 6) The VACL is enabled only after the VLAN port is activated. Otherwise, the status is inactive. Next, I will use the Cisco3550 switch as an instance to describe the different implementation methods between the two. The network is divided into three vlan: vlan10, vlan20, and vlan30 vlan virtual ports with IP addresses 192.168.10.1/24, 192.168.20.1/24, and 192.168.30.1/24, respectively. Access control requirements: vlan10 and vlan20 cannot be accessed, but both can access vlan30. (1) Implement the ********* VLAN configuration ********** Switch (config) through the ACL between VLANs) # vlan 10 // create a vlan 10 Switch (config-vlan) # vlan 20 Switch (config-vlan) # vlan 30 Switch (config-vlan) # int vlan 10 Switch (config-if) # ip address 192.168.10.1 255.255.255.0 // configure vlan10 virtual port IPSwitch (config-if) # int vlan 20 Switch (config-if) # ip address 192.168.20.1 255.255.255.0Switch (config-if) # int vlan 30 Switch (config-if) # ip address 192.168.30.1 25 5.20.255.0 ******** configure ACL ******** Switch (config) # access-list 101 permit ip 192.168.10.0 0.0.255 192.168.30.0 0.0.255switch (config) # access-list 102 permit ip 192.168.20.0 0.0.255 192.168.30.0 0.0.0.255 ******** apply ACL to VLAN port ******** Switch (config) # int vlan 10 Switch (config-if) # ip access-group 101 in Switch (config) # int vlan 20 Switch (config-if) # ip access-group 102 in ***************** (2) access Through VACL implementation ******** configure VLAN ******** (same as above) * ******* configure ACL ******** Switch (config) # access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.255switch (config) # access-list 101 permit ip 192.168.30.0 0.0.255 192.168.10.0 0.0.0.255 (difference: Because VACL does not distinguish inbound from outbound for data streams, you must permit all IP data streams allowed through a vlan. VLAN10 allows communication with VLAN30, while data streams are bidirectional. Therefore, you must add the VLAN30 network segment to the ACL.) Switch (config) # access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.255switch (config) # access-list 102 permit ip 192.168.30.0 0.0.255 192.168.20.0 0.0.255
* Step 1: Configure vlan access mapSwitch (config) # vlan access-map test1 // defines a vlan access map named test1Switch (config-vlan-access) # match ip address 101 // set the matching rule to acl 101 Switch (config-vlan-access) # action forward // after matching, set the data stream Forwarding (forward). Otherwise, mismatched denySwitch (config) # vlan access-map test2 // defines a vlan access map named test2Switch (config-vlan-access) # match ip address 102 // set the matching rule to acl 102 Switch (config-vlan-access) # action forward // after matching, set the data stream Forwarding (forward). Otherwise, mismatched deny
Step 2: Apply VACLSwitch (config) # vlan filter test1 vlan-list 10 // apply test1 configured above to vlan10 Switch (config) # vlan filter test2 vlan-list 20 // apply the test1 configured above to vlan20 *****************. simple configuration instance between ACL and VACL. I personally think it is easier to implement access control through ACL between VLANs. However, when VLAN ports are scattered, it is much easier to use VACL. However, the premise of using VACL is that the switch supports this function. Currently, only vswitches of the Cisco 3550, 4500, and 6500 series are supported.