VLAN access lists (VACL)
VACL are filters that directly can affect how packets are handled within a VLAN
mitigating MAC address flooding attacks
VACL規則
1與ACL的3個規則一樣
2沒有in-bound和out-bound的分別
3作用在ACL和NAT之前
ps:
acl檢查優先順序為PACL > VACL > RACL
ps:
PACL(port acl)
為L2 ACL,只看Inbound,可適用於IP-ACL和MAC-ACL
apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
不支援etherchannel
VACL vs RACLs(route acl)/traditional ACLs
not same:
1. VACL can permit, deny, or redirect packets as they are matched , even if they are not routed to another Layer 3 interface
2. VLAN maps can not be applied to a VLAN interface,因為vacl沒有inbound和outbound的分別,因此acl設定時要特別注意
3. RACL只用於IP ACL
same:
1. VACLs are merged into the TCAM
2. VACLs are configured in a route map fashion, with a series of matching conditions and actions to take
ps:
VACLs are configured as a VLAN access map in much the same format as a route map
ps:
VLAN maps and router ACLs can be used in combination.
define the VACL
1
自訂一個vacl名稱
(config)# vlan access-map < map-name > [sequence-number]
參數說明如下
< map-name > 自訂一個access-map名稱
[sequence-number] Access map statements are evaluated in sequence
2
define the access-map matching conditions
(config-access-map)# match < ip | ipx | mac > address < acl>
參數說明如下
< acl > 以之前定義的access-list,做為比對的依據,可以是acl-number或acl-name
Matching is performed by access lists (IP, IPX, or MAC address ACLs), which you must configure independently
ps:You can repeat these commands to define several matching conditions
ex:
match ip address acl_info
match ip address 105
match ipx address acl_office
match mac address acl_school
3
Define the access-map action
(config-access-map)# action < drop | forward [capture] | redirect < interface >>
ps:
The TCAM performs the entire VACL match and action as packets are switched or bridged
within a VLAN or routed into or out of a VLAN.
apply the VACL to a VLAN
(config)# vlan filter < map-name > vlan-list < vlan-list>
< map-name > 定義好的access-map
< vlan-list > 指定vlan,而不是SVI
ps:
The SVI is the point where packets enter or leave a VLAN, so it does not make sense to apply a VACL there
the VACL needs to function within the VLAN itself, where there is no inbound or outbound direction
ex:
to filter traffic within VLAN 99 so that host 192.168.99.17 is not allowed to any host on its local subnet , otherwise, the packet is forwarded
Switch(config)# ip access-list extended local-17
Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255
Switch(config-acl)# exit
Switch(config)# vlan access-map mapblock 10
Switch(config-access-map)# match ip address local-17
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map mapblock 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter mapblock vlan-list 99
ps:
Switch(config-access-map)#?
Vlan access-map configuration commands:
action Take the action
drop Drop packets
forward Forward packets
default Set a command to its defaults
exit Exit from vlan access-map configuration mode
match Match values.
ip address
mac address
no Negate a command or set its defaults