VLAN ACL

Answered Question
Aug 29th, 2008
User Badges:

Hi,

is it possible to prohibit communication via tcp port 1761 for several servers on a switch? I've never configured a vlan acl, so i have to act very careful in an productive serverfarm. Is it possible to configure a vlan acl on port level? It's undesired to configure an acl on the backbone router.


Tia,

Stephan

Correct Answer by Marwan ALshawi about 8 years 11 months ago

but if u make the source a spicific host only that host in that VLAN will be effected not other hosts

so it works for ur case

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marwan ALshawi Fri, 08/29/2008 - 05:05
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

VACLs are configured as a VLAN access map, in much the same format as a route map. A VLAN

access map consists of one or more statements, each having a common map name


A VACL can either drop a matching packet, forward it, or redirect it to another interface. The

TCAM performs the entire VACL match and action, as packets are switched or bridged within

a VLAN, or routed into or out of a VLAN.

Finally, you must apply the VACL to a VLAN using the following global configuration

command:

Switch(config)# vlan filter map-name vlan-list vlan-list



For example, suppose that you need to filter traffic within VLAN 99 so that host 192.168.99.17

is not allowed to contact any other host on its local subnet. Access list local-17 is created to

identify traffic between this host and anything else on its local subnet. Then a VLAN access

map is defined: If the local-17 access list permits the IP address, the packet is dropped;

otherwise, the packet is forwarded



Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list 99


in ur case make it like


Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit tcp host 192.168.99.17 192.168.99.0 0.0.0.255 eq 1761


and so the same idea for any source distination and port



good luck


if helpful Rate


stephan.sieger Fri, 08/29/2008 - 05:11
User Badges:

That means that the entire vlan is affected by the vacl. It's not possible to put it only on one single L2 port i guess. That's not a good solution..:-)


Thanks,

Stephan

Correct Answer
Marwan ALshawi Fri, 08/29/2008 - 05:13
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

but if u make the source a spicific host only that host in that VLAN will be effected not other hosts

so it works for ur case

Marwan ALshawi Fri, 08/29/2008 - 05:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

by the way dont forget this line in the end i mmean after the deny statments in the VACL


Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward


this one will permit all other traffic

if u dont put it everthing will be denied unless u permit it



please, if helpful Rate


and good luck :)

Actions

This Discussion