VLAN access lists (VACL)
VACL are filters that directly can affect how packets are handled within a VLAN
mitigating MAC address flooding attacks<\/p>\n\n\n\n
VACL\u898f\u5247<\/strong> VACL vs RACLs(route acl)\/traditional ACLs define the VACL ex: VLAN access lists (VACL)VACL a …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-874","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=874"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/874\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
1\u8207ACL\u76843\u500b\u898f\u5247\u4e00\u6a23
2\u6c92\u6709in-bound\u548cout-bound\u7684\u5206\u5225
3\u4f5c\u7528\u5728ACL\u548cNAT\u4e4b\u524d
ps:
acl\u6aa2\u67e5\u512a\u5148\u9806\u5e8f\u70baPACL > VACL > RACL
ps:
PACL(port acl)
\u70baL2 ACL,\u53ea\u770bInbound,\u53ef\u9069\u7528\u65bcIP-ACL\u548cMAC-ACL
apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
\u4e0d\u652f\u63f4etherchannel<\/p>\n\n\n\n
not same:<\/strong>
1. VACL can permit, deny, or redirect packets as they are matched , even if they are not routed to another Layer 3 interface
2. VLAN maps can not be applied to a VLAN interface,\u56e0\u70bavacl\u6c92\u6709inbound\u548coutbound\u7684\u5206\u5225,\u56e0\u6b64acl\u8a2d\u5b9a\u6642\u8981\u7279\u5225\u6ce8\u610f
3. RACL\u53ea\u7528\u65bcIP ACL
same:<\/strong>
1. VACLs are merged into the TCAM
2. VACLs are configured in a route map fashion, with a series of matching conditions and actions to take
ps:
VACLs are configured as a VLAN access map in much the same format as a route map
ps:
VLAN maps and router ACLs can be used in combination.<\/p>\n\n\n\n
1
\u81ea\u8a02\u4e00\u500bvacl\u540d\u7a31
(config)# vlan access-map < map-name > [sequence-number]<\/strong>
\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
< map-name > \u81ea\u8a02\u4e00\u500baccess-map\u540d\u7a31
[sequence-number] Access map statements are evaluated in sequence
2
define the access-map matching conditions
(config-access-map)# match < ip | ipx | mac > address < acl><\/strong>
\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
< acl > \u4ee5\u4e4b\u524d\u5b9a\u7fa9\u7684access-list,\u505a\u70ba\u6bd4\u5c0d\u7684\u4f9d\u64da,\u53ef\u4ee5\u662facl-number\u6216acl-name
Matching is performed by access lists (IP, IPX, or MAC address ACLs), which you must configure independently
ps:You can repeat these commands to define several matching conditions
ex:
match ip address acl_info
match ip address 105
match ipx address acl_office
match mac address acl_school
3
Define the access-map action
(config-access-map)# action < drop | forward [capture] | redirect < interface >><\/strong>
ps:
The TCAM performs the entire VACL match and action as packets are switched or bridged
within a VLAN or routed into or out of a VLAN.
apply the VACL to a VLAN
(config)# vlan filter < map-name > vlan-list < vlan-list><\/strong>
< map-name > \u5b9a\u7fa9\u597d\u7684access-map
< vlan-list > \u6307\u5b9avlan,\u800c\u4e0d\u662fSVI
ps:
The SVI is the point where packets enter or leave a VLAN, so it does not make sense to apply a VACL there
the VACL needs to function within the VLAN itself, where there is no inbound or outbound direction<\/p>\n\n\n\n
to filter traffic within VLAN 99 so that host 192.168.99.17 is not allowed to any host on its local subnet , otherwise, the packet is forwarded
Switch(config)# ip access-list extended local-17
Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255
Switch(config-acl)# exit
Switch(config)# vlan access-map mapblock 10
Switch(config-access-map)# match ip address local-17
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map mapblock 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter mapblock vlan-list 99<\/p>\n\n\n\n
ps:
Switch(config-access-map)#?
Vlan access-map configuration commands:
\u3000action Take the action
\u3000\u3000drop Drop packets
\u3000\u3000forward Forward packets
\u3000default Set a command to its defaults
\u3000exit Exit from vlan access-map configuration mode
\u3000match Match values.
\u3000\u3000ip address
\u3000\u3000mac address
\u3000no Negate a command or set its defaults<\/p>\n","protected":false},"excerpt":{"rendered":"