Understanding VLAN Access Filters

Evening All

I've spent a few days trying to get my head around VLAN Access-Maps and VLAN Access-Filters. I am sharing my configuration which works fine in my GNS3 lab. This is not been tested in a production environment so I would advise caution and some thorough testing before bringing into a live environment.

So above is my test environment for VLAN Filters. Layer three is done on Router 1. I did actually try it on the L2 Switch however I couldnt get intervlan routing working so I had to use the Router.

This is what is allowed  -

  • Communication both ways between 10.0.20.4 and 10.0.20.3
  • Communication both ways from 10.0.20.0/24 to 10.0.10.5 
I have provided a limited output of the switch. Basically, I am covering the access-lists, VLAN configuration and interface configuration for review. If you don't create the MAC access-list and apply it to the VLAN access-map, then the endpoints will not learn the IP address of the other end points. You can be restrictive and say, only allow the gateway MAC to talk to any endpoint and any endpoint to talk to the MAC of the gateway and lock it down further but for my testing I was happy with the below which helped me absorb this possible configuration.

mac access-list extended VLAN20-MACL
 permit any any
!
vlan access-map VLAN20-VACL 5
 match mac address VLAN20-MACL
 action forward
vlan access-map VLAN20-VACL 10
 match ip address VLAN20-ACL
 action forward
vlan access-map VLAN20-VACL 15
 action drop
!
!
vlan filter VLAN20-VACL vlan-list 20
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast edge
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/2
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast edge
!
interface Ethernet0/3
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast edge
!
interface Ethernet1/0
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast edge
!
ip access-list extended VLAN20-ACL
 permit ip host 10.0.20.3 host 10.0.20.4
 permit ip host 10.0.20.4 host 10.0.20.3
 permit ip 10.0.20.0 0.0.0.255 host 10.0.10.5
 permit ip host 10.0.10.5 10.0.20.0 0.0.0.255
 permit ip 10.0.20.0 0.0.0.255 host 10.0.20.1
 permit ip host 10.0.20.1 10.0.20.0 0.0.0.255
!

Have Fun! 

Comments

Popular posts from this blog

Create bootable CUC CUCM CUP Image / ISO

CUCM 11.5 - Esxi 6.5 - unable to create VM

Configuring Oracle 12c backups on Veritas Backup Exec 16.