Understanding VLAN Access Filters

-
Evening All

I've spent a few days trying to get my head around VLAN Access-Maps and VLAN Access-Filters. I am sharing my configuration which works fine in my GNS3 lab. This is not been tested in a production environment so I would advise caution and some thorough testing before bringing into a live environment.

So above is my test environment for VLAN Filters. Layer three is done on Router 1. I did actually try it on the L2 Switch however I couldnt get intervlan routing working so I had to use the Router.

This is what is allowed  -

  • Communication both ways between 10.0.20.4 and 10.0.20.3
  • Communication both ways from 10.0.20.0/24 to 10.0.10.5 
I have provided a limited output of the switch. Basically, I am covering the access-lists, VLAN configuration and interface configuration for review. If you don't create the MAC access-list and apply it to the VLAN access-map, then the endpoints will not learn the IP address of the other end points. You can be restrictive and say, only allow the gateway MAC to talk to any endpoint and any endpoint to talk to the MAC of the gateway and lock it down further but for my testing I was happy with the below which helped me absorb this possible configuration.

mac access-list extended VLAN20-MACL
 permit any any
!
vlan access-map VLAN20-VACL 5
 match mac address VLAN20-MACL
 action forward
vlan access-map VLAN20-VACL 10
 match ip address VLAN20-ACL
 action forward
vlan access-map VLAN20-VACL 15
 action drop
!
!
vlan filter VLAN20-VACL vlan-list 20
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast edge
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/2
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast edge
!
interface Ethernet0/3
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast edge
!
interface Ethernet1/0
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast edge
!
ip access-list extended VLAN20-ACL
 permit ip host 10.0.20.3 host 10.0.20.4
 permit ip host 10.0.20.4 host 10.0.20.3
 permit ip 10.0.20.0 0.0.0.255 host 10.0.10.5
 permit ip host 10.0.10.5 10.0.20.0 0.0.0.255
 permit ip 10.0.20.0 0.0.0.255 host 10.0.20.1
 permit ip host 10.0.20.1 10.0.20.0 0.0.0.255
!

Have Fun! 

Comments

Post a Comment

Popular posts from this blog

Create bootable CUC CUCM CUP Image / ISO

-
The following script allows you to automatically create a bootable CUCM/CUC/CUP image without the need for any paid for software when you only have access to the update outside of put or the datastore for the new server. I have spent several hours on this, but I just wanted to make it simple. Only really for lab purposes, the checksum will fail due to the ISO being manipulated but essentially once you fill in the variables, you will just be left with a single ISO file in the staging directory. To use; 1. Download the mkisofs.exe file as described in the script 2. Paste script below into Powershell ISE Script Editer 3. Modify the variables 4. Execute the script. Simple. Tested creating an ISO on a Windows 10 machine and running the ISO on a ESXI server. Thanks for this guy Aaron Harrison as per the URL, was helpful in the finding out the mkisofs.exe command syntax. http://www.ipcommute.co.uk/technical-articles/17--creating-isolinux-boot-dvds-with-free-software-cucm-uccx-c...
Read more

Configuring Oracle 12c backups on Veritas Backup Exec 16.

-
Image
This is a short guide to configuring backups of Oracle 12c using Veritas Backup Exec 16. 1.        Establish trust with Oracle Database server within Backup Exec console and ensure agent is installed. 2.         Create a login to the database for backup purposes in Oracl e; Open up a command prompt and run the following command – Sqlplus / nolog Log in with your database admin account as sysdba Connect myusername / mypassword@databasename as sysdba CREATE USER BACKUP IDENTIFIED BY MYPASSWORD; GRANT UNLIMITED TABLESPACE TO BACKUP; GRANT AQ_ADMINISTRATOR_ROLE TO BACKUP; GRANT DBA TO BACKUP; GRANT CONNECT TO BACKUP; ALTER USER BACKUP DEFAULT ROLE ALL; ALTER USER BACKUP DEFAULT TABLESPACE SYSTEM; 3.        Within the Local Users and Groups section of Computer Management on the Oracle database server, add the backup servers windows domain adminis...
Read more

Configuring Cisco CME Voice Gateway (VG) for incoming and outgoing calls using Sipgate trunk

-
Image
Hi All For my reference and your's, here is a working sample configuration for configuring sipgate (sipgate.co.uk) for incoming and external VOIP calls on a 2800 series Cisco router. Using GNS3; My wireless adapter has internet connection sharing enabled, and I have created a loopback adapter which is the 'internet' adapter as you can see below. I have tested making calls using Cisco's CIPC version 8 and receiving calls. This doesn't have to be done in GNS3, just pick up yourself a real voice gateway. version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VG-EP ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login http local aaa authentication login ssh local aaa authorization exec http local ! aaa session-id common ! resource policy ! memo...
Read more