标签:access Cisco map VLAN Lists ACL Switches VACL config
This ‘ACLs on Switches’ diagram shows PACL, VACL and RACL location and traffic direction on switch. It is clear and easy understanding.
The following explanation is from Security Features on Switches by Yusuf Bhaiji.
Access Lists on Switches
The switch supports the following four types of ACLs for traffic filtering:- Router ACL
- Port ACL
- VLAN ACL
- MAC ACL
Router ACL
As the name implies, Router ACLs are similar to the IOS ACL discussed in Chapter 2, “Access Control,” and can be used to filter network traffic on the switched virtual interfaces (SVI). (SVI interfaces are Layer 3 interfaces on VLANs, on Layer 3 physical interfaces, and on Layer 3 EtherChannel interfaces.) Both standard and extended ACLs are supported. For more details to configure Router ACL, refer to Chapter 2.Port ACL
Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended. Processing of the Port ACL is similar to that of the Router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL. When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs. The main benefit with Port ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved—that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time. NOTE Port ACLs are not supported on EtherChannel interfaces.VLAN ACL (VACL)
VLAN ACL (also called VLAN map) provides packet filtering for all types of traffic that are bridged within a VLAN or routed into or out of the VLAN. Unlike Router ACL, VACL is not defined by a direction (input or output). All packets entering the VLAN (bridged or routed) are checked against the VACL. It is possible to filter traffic based on the direction of the traffic by combining VACLs and Private VLAN features. VACLs are processed in hardware, so there is no performance penalty in processing them. Therefore, they are also referred to as wire-speed ACLs. The forwarding rate remains unchanged regardless of the size of the access list because the lookup of VACLs is performed in hardware.VACL on a Bridged Port
Figure 4-2 illustrates where the VACL is processed when VACL is applied on a bridged port for traffic from Host A in VLAN 5 that is communicating to Host B in VLAN 10 through the switch.
Figure 4-2 VACL on a Bridged Port
VACL on a Routed Port
Figure 4-3 illustrates how IOS ACL and VACL are applied on routed packets and Layer 3 switched packets. Following is the order of processing:- VACL for input VLAN
- Input IOS ACL
- Output IOS ACL
- VACL for output VLAN
Figure 4-3 VACL on a Routed Port
Configuring VACL
Perform the following steps to configure and apply a VACL (VLAN access map) on the switch:- Define the standard or extended access list to be used in VACL.
- Define a VLAN access map.
- Configure a match clause in a VLAN access map sequence.
- Configure an action clause in a VLAN access map sequence.
- Apply the VLAN access map to the specified VLANs.
- Display VLAN access map information.
Example 4-6. VACL Configuration Example
Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Switch(config)#access-list 2 permit any
Switch(config)#vlan access-map mymap 10
Switch(config-access-map)#match ip address 1
Switch(config-access-map)#action drop
Switch(config-access-map)#exit
Switch(config)#vlan access-map mymap 20
Switch(config-access-map)#match ip address 2
Switch(config-access-map)#action forward
Switch(config-access-map)#exit
Switch(config)# vlan filter mymap vlan-list 5-10
Switch(config-access-map)#end
Switch# show vlan access-map
Vlan access-map "mymap" 10
Match clauses:
ip address: 1
Action:
drop
Vlan access-map "mymap" 20
Match clauses:
ip address: 2
Action:
Forward
Switch# show vlan filter
VLAN Map mymap is filtering VLANs:
5-10
MAC ACL
MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL. The steps to configure a MAC ACL are similar to those of extended named ACLs. MAC ACL supports only inbound traffic filtering. To define the MAC Extended ACL, use the mac access-list extended command. Several non-IP protocols are supported. After the MAC ACL is created, it can be applied to a Layer 2 interface using the mac access-group [acl-name] in command to filter non-IP traffic received on the interface. Example 4-7 shows how to define and apply a MAC ACL to drop all (non-IP) AppleTalk Address Resolution Protocol (AARP) packets, allowing all other types of traffic.Example 4-7. MAC ACL Configuration Example
Switch(config)# mac access-list extended my-mac-acl
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# exit
Switch(config)# interface Fastethernet0/10
Switch(config-if)# mac access-group my-mac-acl in
Switch(config-if)# end
Share this:
Like this:
Like Loading...Related
标签:access,Cisco,map,VLAN,Lists,ACL,Switches,VACL,config 来源: https://blog.csdn.net/cpongo7/article/details/98947765
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。