In this post I will discuss Vlan access control lists (VACL), also called VLAN access Map or VLAN Map. A VLAN Access-map allows us to filter incoming and outgoing traffic in a switch Vlan. VLAN access-map configuration is very similar to the Route-map configuration.

A Vlan access-map is placed on the whole Vlan, which means that the incoming and outgoing traffic in a Vlan are filterd by the VLan access-map. We can apply a VLAN access-map to a Layer3 access-list and also to a mac access-list.

We know that the usual access control list (ACL), which is the most well known concept, has an implied DENY IP ANY ANY at the end. Of course, a VACL has the same implied deny statement, but this is not recommended, as we will see next.

Because a normal ACL checks only Layer 3 packet traffic, therefore it doesn’t block Layer 2 protocols like STP, VTP, ARP etc. On the other hand, a VLAN access-map blocks L2 protocols (in addition to Layer3), if we don’t explicitly allow them. That’s why it’s recommended to have an implicit deny all at the end.

Looking now at the details, let’s consider the following example: we have two Routers R1 and R2 which are in the same VLAN (Broadcast Domain) and they are connected to each other via a switch as shown below. Let’s block only Telnet protocol from R1 and permit all the rest.

Before starting configuration, let’s check if telnet works from R1.

R1#telnet 192.168.10.2
Trying 192.168.10.2 … Open

User Access Verification

Password:

R1#quit

[Connection to 192.168.10.2 closed by foreign host]
R1#

As we see, telnet is working, so now let’s start the VLAN access-map configuration which will block telnet and permit everything else.

!Create access-list, by which interesting traffic will be matched. As I’ve already said, the principle of VLAN access-map config is similar to the route-map working principle. Later we snap this access-list to a VLAN access-map.

switch(config)#ip access-list extended  restrict_telnet_R2
switch(config-ext-nacl)#permit tcp host 192.168.10.1 host 192.168.10.2 eq 23

After this we’ll create a vlan access-map, which has two main parameters: action and match.

Match: by this parameter the interesting traffic is matched and here RACL or MAC ACL can be applied as well.

Action: what to do with matched traffic. Two main parameters exist: Drop and Forward. In case of Drop, matched traffic will be dropped, and in case of forward, matched traffic will be allowed. Also, on High-End devices, a Redirect and Capture parameters also exist in the Action statement.

In our case we must block matched traffic and permit all the rest.
switch(config-ext-nacl)#vlan access-map VACL 10
switch(config-access-map)#action drop
switch(config-access-map)#match ip address restrict_telnet_R2
switch(config-access-map)#vlan access-map VACL 20
switch(config-access-map)#action forward
switch(config-access-map)#exit

After creating the VLAN access-map, it should be applied to a VLAN or VLANs. In this case we’ll apply it to VLAN 10 which is specified by “vlan-list 10”.

switch(config)#vlan filter VACL vlan-list 10

By this configuration is completed. Let’s see if telnet is blocked and ping works.

R1#ping 192.168.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!

R1#telnet 192.168.10.2
Trying 192.168.10.2 …
% Connection timed out; remote host not responding

As we see, ping is okay from R1 and telnet is blocked as we planned.

We know that a Layer 2 VLAN is an isolated Broadcast Domain and for communicating between VLANs a Layer 3 Device is required for inter-VLAN Routing. A Private VLAN gives us the  opportunity to divide a VLAN into Sub VLANs. In the case of PVLAN, a normal VLAN is mapped on Secondary VLANs. This helps us to restrict devices being connected in the same normal VLAN (subnet) to communicate with each other. Catalyst 3560 and higher models support PVLAN.

Often PVLANs are used in cases where servers are located in a DMZ on the same Layer2 Vlan and we want to restrict these servers to communicate between them. This helps a lot in security. If the servers are publicly accessible from the Internet, when one of the servers is compromised by hackers, we can block the attacker to access the other servers on the same Vlan. Of course we can do this with a L3 device or firewall, but in this case each server should have it’s own VLAN and as a result we’ll get a complex network. In the case of PVLAN, we’ll have one network (VLAN) and we’ll restrict the connection between servers by creating secondary VLANs.

Private VLAN Types and Port Types:

Promiscuous (P): Usually connects to a router (Default gateway) and also to span port – a type of a port which is allowed to send and receive frames from any other port on the Primary VLAN.

Isolated (I): This type of port is only allowed to communicate with P-ports – they are “stub”. This type of port usually connects to hosts. Only one isolated VLAN is created. The ports, which are in isolated VLAN, can communicate to each other.

Community (C): The ports in the same Community can communicate with each other and also are connected to Promiscuous port. There are multiple Communities available.

Community ports are allowed to talk to their buddies, sharing the same group (of course they can talk to P-ports).

Let’s see how to configure PVLANs

Equipment Used in this LAB:

Cisco  Catalyst 3560  – C3560-IPSERVICES-M  Version 12.2(50)SE
Cisco Router 2801 -  C2801-ADVIPSERVICESK9-M  Version 12.4(9)T4

Scenario: Create one Community vlan, in which SRV1 and SRV2 will belong to. Create also an Isolated VLAN, in which SRV3 and SRV4 will belong to. Make Ge0/1 promiscuous and connect to default gateway (router). According to this configuration, SRV1 and SRV2 can talk to each other and also with Router (Default Gateway). On the other hand, Servers in Isolated VLAN (SRV3 and SRV4) will not communicate between each other and also will not be able to talk with F0/0 (Router-Default Gateway).

Before starting PVLAN configuration, switching VTP Mode to Transparent is required. If VTP works in other mode, PVLAN will not work.

!switch to Transparent mode

Switch(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.

!Create Isolated VLAN

Switch(config)# vlan 102
Switch(config-vlan)# private-vlan isolated

!create community vlan

Switch(config)# vlan 101

Switch(config-vlan)#private-vlan community

!Create Primary VLAN and map with secondary vlans
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
switch(config-vlan)# private-vlan association 101 102

Our Complete Configuration looks Like This:

vlan 100
private-vlan primary
private-vlan association 101 102
!
vlan 101
private-vlan community

vlan 102
private-vlan isolated

! Create promiscuous port and map with the other vlans

Switch(config)# interface ge0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101 102

! association of Ge0/2 and Ge0/3 ports with Primary and Secondary VLANS. According to our scenario Ge0/2 and Ge0/3 should be in community Vlan.

Switch(config)# interface range ge0/2-ge0/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

! association Ge0/4 and Ge0/5 ports with Primary and Secondary VLANS. According to our !scenario Ge0/4 and Ge0/ should be in Isolated Vlan.

Switch(config)# interface range ge0/4-ge0/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Configuration is completed now so let’s see how the output looks like.

Switch# show interface status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1                        connected    100        a-full  a-100 10/100BaseTX
Gi0/2                        connected    100,101 a-full  a-100 10/100/0BaseTX
Gi0/3                        connected    100,101 a-full  a-100 10/100BaseTX
Gi0/4                        connected    100,102 a-full  a-100 10/100BaseTX
Gi0/5                        connected    100,102 a-full  a-100 10/100BaseTX

Cisco Systems Inc. supports a broad range of local area network (LAN) switching architecture technologies and platforms.  The general minimal requirements that the Cisco switching platforms are designed to address include the following:

• High-performance switched Ethernet, capable of delivering 100 Mbps and 1Gbps to the desktop, and 1Gbps or 10Gbps uplinks.
• Quality of Service (QoS) features permitting prioritization of delay-sensitive traffic and control over packet delay and jitter.
• Simple, highly structured, and deterministic design (Predictable – in both normal and failure recovery modes).
• Support for both IP version 4 and IP version 6 protocols.
• Fault tolerance (Redundancy for critical components and links ‑ eliminating network single-points-of-failure).
• Flexibility (Network logically partitioned at Layers 2, 3 and 4, to direct traffic flow).
• Secured through authentication, authorization and accounting (AAA) controls.
• Modular design capable of supporting new applications and network growth without requiring “fork-lift” upgrades.
• Scalability for cost-effective delivery of the smallest to the largest telecommunications rooms and campuses
• Multicast protocol support for end-to-end management and optimization of streaming content delivery.
• Switches capable of powering IP telephones (via phantom power).
• Capable of being remotely monitored and managed using network management tools, such as HP Openview.

All Cisco switches are based on a distributed hardware architecture in which the LAN switching functions are separated from the “control plane” functions of switch management by utilizing both one or more general-purpose central processing chips and port or line card application-specific integrated circuits (ASICs).

The general-purpose CPU handles network management functions, like user logins, SNMP, and maintenance operations like operating system booting.  The general-purpose processor controls the configuration of the switch platforms with a command-line interface.  The ASICs optimize packet and frame switching at the port and line card level in order to reduce inter-frame delays and increase overall system throughput.

Older Cisco switches used an operating system called CatOS, with a command-line syntax based on set and clear statements.  Newer switch use an operating system referred to as the Cisco Internetwork Operating System (IOS), which is common across both switching and routing platforms.  The older CatOS is end-of-life and end-of-sale.  Only configurations involving IOS will be shown here.  A newer switching operating system based on the Cisco next-generation Nexus platforms is called NXOS, but is nearly identical to the IOS command syntax, and most of the Cisco switch product is based on IOS.

Cisco switching utilizes recommendations for a hierarchical design in switched network infrastructures, called core, distribution, and access layers.  It is acceptable to combine the functions of the core and distribution layers in smaller switched networks, which is called a collapsed core design.  The functions of each layer are as follows:

Core layer

• Links to WAN (Internet or other wide-area network)
• Links to distribution switches
• Additional Virtual Local Area Networks (VLANs) —Used by the system for routed ports as well as WAN ports

Distribution Layer

• Server connections
• Links to downstream (closet) access switches via layer 2 or layer 3 links.
• Site services, like wireless LAN controllers
• Service VLANs—To forward traffic to the service modules, such as the client VLAN of a content switch
• Fault tolerant VLANs—For redundancy with CSM, FWSM, CSS, and so forth

Access Layer

• Client connectivity at 10/100/1000Mbps

If you have your own Cisco switch equipment at your home lab or at your work environment you might have encountered the situation that you want to completely erase the whole switch configuration including any Vlans that are already configured on the switch. In a Cisco switch, erasing the switch startup configuration is one thing and erasing the vlans that exist on the switch is another thing.

It is a good practice to completely erase everything on a switch (both switch configuration and switch Vlans) before using the switch in another part of your network. This is important in order to avoid any network conflicts because of any old configuration settings that are already configured on the switch.

Now let us see how to delete the configuration and Vlans from a Cisco switch.

1) Deleting the switch configuration

This is the easy part. It’s the same as deleting the configuration from any other Cisco network IOS device. Basically you need to delete the “startup-configuration” and then reboot the switch.

Switch#erase startup-config

Erasing the nvram filesystem will remove all configuration files! Continue?

[confirm]

[OK]

Erase of nvram: complete

Switch#reload

2) Deleting the switch Vlans

The strange part is that after deleting the switch configuration you will notice that the Vlans are still there.

Switch#show vlan brief

2   VLAN0002                         active
3   VLAN0003                         active
4   VLAN0004                         active

By executing the command “show vlan brief” you can see that there are 3 vlans configured on the switch. These vlans are stored in a file in flash memory called “vlan.dat”. You can see this file if you read what is stored in the flash:

Switch#show flash:

Directory of flash:/

1  -rw-     4414921          <no date>  c2960-lanbase-mz.122-25.FX.bin

2  -rw-         616          <no date>  vlan.dat

64016384 bytes total (59600847 bytes free)

As you can see from output above, the file “vlan.dat” is stored in flash. You have to delete this file in order to completely erase all vlans on the switch.

Switch#delete vlan.dat

Delete filename [vlan.dat]?

Delete flash:/vlan.dat? [confirm]

Switch#sh flash

Directory of flash:/

1  -rw-     4414921          <no date>  c2960-lanbase-mz.122-25.FX.bin

64016384 bytes total (59601463 bytes free)

Switch#reload

After executing the command “delete vlan.dat” just hit enter twice and it will be gone. Then you have to reload the switch.