VLAN Access Control list - with step by step configuration
Pre-requisite: Understanding VLAN and Access Control List in Networking
Before deep dive into concept of what is the VLAN Access Control List and how to implement it, we need to know the fundamentals of VLAN and Access
Control List individually.
VLAN (Virtual LAN) is way to logically segment the broadcast
domain into sub broadcast domains at layer 2. By default, a host can
communicate with all other hosts residing in the same VLAN. But hosts from
different VLANs cannot communicate with each other. Here comes the question
that what if we need to restrict some of the hosts from the same VLAN so that
they cannot communicate with others. This can be achieved with VLAN ACL (Access
Control List). Here ACL (Access Control List) is the set of different rules
which used to filter the packets with its permit and deny conditions. We just
provide the brief concept of VLAN and ACL so that we can move to our main topic
VLAN ACL. If you want to learn more about the concept of VLAN and ACL, click on
the below mentioned links.
Understanding Virtual Local Area Network (VLAN)
Access Control List
What is a VLAN Access Control List (VACL)?
VLAN Access Control List or you may call it VACL in short is a network security feature used
to filter the traffic of a VLANs, the traffic could be within the same VLAN as
the destination host reside in the same VLAN or it could be in the different
VLANs also, it offers a more granular level of control. The packets are checked
against the VACL before entering in the VLAN and forward or drop action may take place as per requirement. As VACL is not filter traffic in
a specific direction but it can be achieved by combining the VACLs and Private
VLAN concept together which enable us to filter the traffic based on direction.
Mainly VLAN Access Control List are useful for segmentation
of network traffic, it helps to mitigate network attacks within a VLAN by enforcing
security policies, as it is a part of a comprehensive approach to network
security, so it works alongside with other security measures like firewalls and
regular ACLs.
what are the Key Benefits and features of Using VACLs?
Enhanced Security: VACLs protect from unauthorized access by
filtering traffic at VLAN level which helps to limit the spread of attacks inside
the network.
Effective Traffic Management: To ensure optimal performance
and resource allocation, VLAN ACLs can be used to direct and control the flow
of traffic within a VLAN.
Boosted Network Efficiency: By segmenting network traffic,
VACLs helps in reducing unwanted data transmission, which leads to better
network competence.
Steps to follow How to Configure a VLAN Access Control List?
VACL configuration steps
1- Create an Access Control List (ACL) Standard or Extended: Define
the list which contains multiple Access control entries (ACEs) with permit or
deny action in response to who have access for what. In the context of VACLs, typically
these are extended ACLS that can filter the traffic based on IP, TCP, UDP, and
other Layer 3 and Layer 4 information of OSI Model.
2- Define VLAN Access Map: Define VLAN access map, the ACL we
defined earlier will be matched here.
3- Action clause in VLAN Access Map: Define action clause with
forward or drop action which will be the taken on the traffic defined or
matched earlier in VLAN access map through ACL.
4- Apply the VLAN Access Map to VLANs: Last step is to apply VLAN
access map to one or more VLANs as per requirement.
5- Verify Configuration: Verify the configuration to make sure
that it is working as per requirement.
Let’s discuss the whole with help of scenario:
Scenario
 |
| Fig-1: VLAN Access Control List |
We have a network where three users (two of them connected with wire and one with wireless) and one server connected with a switch in the same VLAN say VLAN 10. IP subnet is 192.168.1.0/24, we have to configure VLAN ACL in the switch so that user-3 have (IP address 192.168.1.3) connected through wireless should not reached to the server (IP address 192.168.1.10) but all other users should be reachable to the server.
Let’s move to the configuration steps:
Step-1 - Configure Access List:
Configure extended ACL with name VACL and allow user-3 to
access sever 192.168.1.10
switch(config)#ip access-list extended VACL
switch(config-ext-nacl)#permit ip host 192.168.1.3 host
192.168.1.10
Step-2 & 3 - Configure VLAN Access MAP and action
clauses:
Configure VLAN access map with name MAP match access list
VACL and take drop action this deny the traffic coming from user-3 to server.
Here in the line after name MAP we add sequence number if we did not add any
number the it will add default one which is 10.
switch(config)#vlan access-map Map 10
switch(config-access-map)#match ip address VACL
switch(config-access-map)#action drop
switch(config-access-map)#exit
 |
| Fig-2: Drop traffic from user-3 to server |
Configure another access map with the same name MAP but with sequence number 20 and no need to match anything and just put forward action, if we did not configure this access-map the whole traffic will goes drop because of implicit deny entry.
switch(config)#vlan access-map Map 20
switch(config-access-map)#action forward
switch(config-access-map)#exit
 |
| Fig-3: Forward traffic from user-1 to server |
 |
| Fig-4: Forward traffic from user-2 to server |
NOTE: here sequence number 20 shows that it will be checked
after sequence number 10. Means as per seq # 10 it will drop traffic coming
from user-3 and seq # 20 forward all other traffic coming from other users.
Step-4 - Apply VLAN Access MAP to VLAN 10:
Apply VLAN access map named MAP to VLAN 10 as per our
scenario.
switch1(config)#vlan filter Map vlan-list 10
Step-5 - Verification:
show vlan access-map command will show the name of VLAN Access
Map, sequence number and the name of Access-list.
switch1#show vlan access-map
show vlan filter command will show the VLAN which will be
filter by the VLAN Access map.
switch1#show vlan filter