16 May 2010

Enforcing Security Policies with VACLs

Routers can use IP access control lists (ACL) to permit or deny specific traffic from entering or exiting a network interface. Therefore, ACLs are used as traffic travels between network address spaces.

However, a Cisco Catalyst switch can have an ACL applied within a VLAN. This intra-VLAN ACL is called a VLAN access control list (VACL). Example shows the configuration of a VACL that permits Telnet traffic to be sent to a host at IP address 10.1.1.2 while denying all other traffic. Notice that a vlan access-map named ALLOWTELNET is configured to match access list 100. For sequence number 10, the specified action is to forward traffic matching that access list. All other traffic is dropped because of a default implicit drop instruction, which drops all traffic not explicitly permitted. Finally, the VLAN filter (that is, the VACL) is applied to VLANs in the range 1 to 100.

Example Configuring a VACL

SW3550(config)# access-list 100 permit tcp any host 10.1.1.2 eq telnet
SW3550(config)# vlan access-map ALLOWTELNET 10
SW3550(config-access-map)# match ip address 100
SW3550(config-access-map)# action forward
SW3550(config-access-map)# exit
SW3550(config)# vlan filter ALLOWTELNET vlan-list 1-100



See Also:
SW Intra-VLAN ACL

CCNA Security Official Exam Certification Guide (Exam 640-553)



biOos

No comments: