Recently, I have been asked how to implement access control between VLANs on a Cisco switch. Generally, I will tell the other party how to apply the ACL to the virtual port of the corresponding VLAN on a layer-3 switch, in fact, I have no chance to practice it myself. Now, we have a project that involves this demand, so we have a question about how to implement access control between VLANs.
Recently, I have been asked how to implement VLAN on a Cisco switch.BetweenIn general, I will tell the other party that it is OK to apply the ACL directly to the virtual port of the corresponding VLAN on the layer-3 Switch. In fact, I have no chance to practice it myself. Now, we have a project that involves this requirement, so how to implement VLANBetweenThe VLAN access control list (VACL) and VLANBetweenIn fact, the access control list of is very different in implementation methods, although literally the two are similar.
What we often call VLANBetweenThe access control is implemented by applying the ACL directly to the virtual port of the VLAN, which is the same as the ACL applied to the physical port. The VLAN access control (VACL), also known as the VLAN access ing table, is implemented in a different way than the former. It is applied to all communication streams in a VLAN. It supports Filtering Based on ETHERTYPE and MAC address to prevent unauthorized data streams from entering the VLAN. Currently, three VACL operations are supported: forward, drop, and redirect ).
VACL is rarely used. Pay attention to the following points during Configuration:
1) The last hiding rule is deny ip any, which is the same as ACL.
2) VACL is not divided into inbound and outbound,DifferencesIn ACL.
3) if the ACL list contains permit and the VACL is drop, the data stream is dropped.
4) The VACL rules are applied before NAT.
5) One VACL can be used in multiple VLANs, but one VLAN can only be associated with one VACL.
6) The VACL is enabled only after the VLAN port is activated. Otherwise, the status is inactive.
Next, I will use the Cisco3550 switch as an instance to describe the two in detail.BetweenDifferent implementation methods.
Network Topology
The network is divided into three VLANs: vlan10, vlan20, and vlan30. The IP addresses of vlan virtual ports are 192.168.10.1/24, 192.168.20.1/24, and 192.168.30.1/24, respectively.
Access control requirements: vlan10 and vlan20BetweenCannot access, but can access vlan30.
(1)PassVLANBetweenACLImplementation
* ******* Configure VLAN ********
Switch (config) # vlan 10 // create vlan 10
Switch (config-vlan) # vlan 20
Switch (config-vlan) # vlan 30
Switch (config-vlan) # int vlan 10
Switch (config-if) # ip address 192.168.10.1 255.255.255.0 // configure the virtual IP address of vlan10
Switch (config-if) # int vlan 20
Switch (config-if) # ip address 192.168.20.1 255.255.255.0
Switch (config-if) # int vlan 30
Switch (config-if) # ip address 192.168.30.1 255.255.255.0
* ******* Configure ACL ********
Switch (config) # access-list 101 permit ip 192.168.10.0 0.0.255 192.168.30.0 0.0.255
Switch (config) # access-list 102 permit ip 192.168.20.0 0.0.255 192.168.30.0 0.0.255
* ******* Apply an ACL to a VLAN port ********
Switch (config) # int vlan 10
Switch (config-if) # ip access-group 101 in
Switch (config) # int vlan 20
Switch (config-if) # ip access-group 102 in
* ******** Complete ********
(2)PassVACLImplementation
Ii. configuration command:
1. specify the name and serial number of the VLAN access ing table: vlan access-map map_name [seq #]
2. Configure the MATCH clause to match ip address ................................
3. configure ACL operation action .................................... ...............
4. Apply the VLAN access ing table to the VLAN vlan filter map_map vlan_list list.
* ******* Configure VLAN ********
(Same as above)
* ******* Configure ACL ********
Switch (config) # access-list 101 permit ip 192.168.10.0 0.0.255 192.168.30.0 0.0.255
Switch (config) # access-list 101 permit ip 192.168.30.0 0.0.255 192.168.10.0 0.0.255
(Difference: BecauseVACLNoInboundAndOutboundTherefore, you must allowVlanOfIPData FlowPermitOnly.VLAN10Allow andVLAN30Communication, and the data stream is bidirectional, soACLAddVLAN30CIDR Block)
Switch (config) # access-list 102 permit ip 192.168.20.0 0.0.255 192.168.30.0 0.0.255
Switch (config) # access-list 102 permit ip 192.168.30.0 0.0.255 192.168.20.0 0.0.255
* ******* Configure VACL ********
Step 1: Configure vlan access map
Switch (config) # vlan access-map test1 // define a vlan access map named test1
Switch (config-vlan-access) # match ip address 101 // set the matching rule to acl 101
Switch (config-vlan-access) # action forward // after matching, set the data stream Forwarding (forward)
Switch (config) # vlan access-map test2 // define a vlan access map named test2
Switch (config-vlan-access) # match ip address 102 // set the matching rule to acl 102
Switch (config-vlan-access) # action forward // after matching, set the data stream Forwarding (forward)
Step 2: Apply VACL
Switch (config) # vlan filter test1 vlan-list 10 // apply the test1 configured above to vlan10
Switch (config) # vlan filter test2 vlan-list 20 // apply the test1 configured above to vlan20
* ******** Complete ********
The above is about VLANBetweenSimple configuration instance of ACL and VACL. In my opinionBetweenACL is more convenient to implement access control, but when VLAN ports are scattered, it is much easier to use VACL. VLAN access control is bound to an ACL under each VLAN considering the interface. However, the premise of using VACL is that the switch supports this function. Currently, only Switches of the Cisco 3550, 4500, and 6500 series are supported.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
