VACL is an acronym for VLAN Access Control Lists , Specifically created to filter and move VLAN traffic. It operates like a typical port based ACL but instead of being enabled on a per port or L3 interface level. It is enabled on a VLAN bases.
Two Functions:
1st : VLAN ACL
=============
VACLs can provide access control for all packets that are bridged within a VLAN (L2 level) . Unlike regular Cisco IOS ACLs that are configured on router interfaces and applied on routed packets only (L3 level), VACLs apply to all packets. and can be applied to any VLAN or WAN interface . When you configure a VACL and apply it to a VLAN, all packets that enter the VLAN are checked against this VACL.
Guidelines for the capture option in VACL.
===============================
- If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet that
comes into the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface.
- When the packet is routed to another VLAN, it is first checked against the output ACL that is applied to the routed interface, and, if permitted, the VACL configured for the destination VLAN is applied.
- If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.
First we need to specify access-list as per below :
Access list
==========
(config)# access-list 1 permit 10.1.10.0 0.0.0.255 >> standard access-list
OR
(config)#ip access−list extended HTTP_TRAFFIC >> extended access-list
(config−ext−nacl)#permit tcp 10.20.20.128 0.0.0.127 host 10.10.10.101 eq www >> HTTP Traffic from a range of hosts (10.20.20.128/25) to server 10.10.10.101
(config−ext−nacl)#exit
Also we have MAC Policy-Based Forwarding , A type of MAC-based VACL by which packets can be bridged between VLANs. based solely on the source and destination MAC addresses, ignoring any information above Layer 2.
==========
(config)# mac access-list extended SERVER
(config-ext-macl)# permit any host 1111.2222.3333 --> permit any source mac-address to access this destination
Same as Route-Map there is VLAN access-map
==========
(config)# VLAN access-map DEMO 10 >> same as route map name : DEMO , seq no. : 10
(config-access-map)# match ip address 1 >> Match ip access list 1
(config-access-map)# action forward
(config)# VLAN access-map DEMO 20
(config-access-map)# action drop
OR
(config)# vlan access−map HTTP_MAP 10
(config−access−map)# match ip address HTTP_TRAFFIC << Configures the match clause in a VLAN access map sequence
(config−access−map)# action forward capture << The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured
(config)# vlan access−map HTTP_MAP 20
(config−access−map)# action drop
Note : VACLs have an implicit deny at the end of the map
Apply the VLAN access list through VLAN Filter (VACL)
===========
(config)# VLAN filter DEMO vlan-list 10 << Applies the VLAN access map to the specified VLANs or WAN interfaces.
OR
(config)# VLAN filter HTTP_MAP vlan−list 100 << Applies the VLAN access map to the specified VLANs or WAN interfaces.
Configure the Capture Port.
===========
(config)#int fa3/30
(config−if)#switchport capture allowed vlan 100 << Filters the captured traffic on a per-destination-VLAN basis.
(config−if)#switchport capture << Configures the port to capture VACL-filtered traffic.
(config−if)#exit
To Verify the above , we have 2 show commands,
=================
show vlan access−map ---> Displays the contents of the VLAN Access Maps.
Switch# show vlan access−map HTTP_MAP
Vlan access−map "HTTP_MAP" 10
match: ip address HTTP_TRAFFIC
action: forward capture
Vlan access−map "HTTP_MAP" 20
action: drop·
show vlan filter ---> Displays information about the VLAN Filters.
Switch# show vlan filter
VLAN Map HTTP_MAP:
Configured on VLANs: 100
Active on VLANs: 100
=============================================================
2nd : VLAN based SPAN
===================
VACLs May be used like a SPAN port or network tap it is a way to replicate or copy traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis. This is useful if you want to monitor that traffic to determine the health of the application(s) running on those computer(s) or health of the network itself.
.====================
Note : VACLs are primarily not designed to monitor traffic, but, with a wide range of capability to classify the traffic, the Capture Port feature was introduced so that network traffic analysis can become much simpler.
you can use a SPAN to copy traffic to another switch interface where you can use tcpdump to record what’s happening. Let’s say your source is on F0/1. You have a Linux box plugged into F0/24 ready to capture the traffic. Here’s what you do.
(config)# monitor session 1 source interface F0/1 both << here means both IN and OUT Traffic
(config)# monitor session 1 destination interface F0/24
OR
(config)# monitor session 50 source vlan 100 , 200 << Default is to monitor both received and transmitted traffic
(config)#monitor session 50 destination interface Fa3/30
Checked Destination interfaces that is configured for monitoring and found status is UP Down
by investigating , Found the below
Notice : No input Data , Only Output Only.
Switch# sh int F0/24
FastEthernet0/24 is up, line protocol is down (monitoring) <<<<
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 618254000 bits/sec, 121492 packets/sec
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
1129155447019 packets output, 704847199066481 bytes, 0 underruns
When you configure for span, the destination port will become a monitoring port. It will be in the promiscuous mode and will listen to any packet that's being mirrored to it.
The port can be no more used for sending normal traffic.
To show the span port monitor session configured
switch#sh monitor Session 1
----------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/24
Switch#show monitor detail
Session 50
−−−−−−−−−−
Type : Local Session
Source Ports :
RX Only : None
TX Only : None
Both : NoneSource VLANs :
RX Only : None
TX Only : NoneBoth : 100,200
Source RSPAN VLAN : None
Destination Ports : Fa3/30
Filter VLANs : NoneDest RSPAN VLAN : None
There are two big things to keep in mind when doing SPANs. The first is that monitoring a port can drive CPU utilization way up (depending on the platform and traffic volume), so you may run into problems if you have a bunch of SPANs going at the same time. Related to this is the fact that, if your switch has to decide between switching and copying traffic, it will stop copying until there’s enough CPU headroom to do that safely, and you’ll lose packets in the meantime. It’s a switch — not a copier.
=====================
PACL provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic.
(perform access control on all traffic entering the specified Layer 2 port).
Note : The PACL feature does not affect Layer 2 control packets received on the port.
PACLs use the following modes:
• Prefer port mode : If a PACL is configured on a Layer 2 interface, the PACL takes effect and overwrites the effect of other ACLs (Cisco IOS ACL and VACL).
• Merge mode : In this mode, the PACL, VACL, and Cisco IOS ACLs are merged in the ingress direction. This is the default access group mode.
Switch(config-if)# access-group mode {prefer port | merge}
Switch(config-if)# no access-group mode << returns to the default value which is merge mode
Note : A PACL can be configured on a trunk port only after prefer port mode has been selected. Trunk ports do not support merge mode.
(config)# access-list 1 permit 10.1.10.0 0.0.0.255
(config-if)# ip access-group 1 in >> ip access list inbound direction only
OR
(config)# mac access-list extended SERVER
(config-ext-macl)# permit any host 1111.2222.3333
(config-if)# Mac-address-group 1 in >> Mac address group
Dear Readers, If you have any notice on what's stated above or you want to discuss something , feel free to leave a comment. Thanks :)
والله الموفق
Two Functions:
1st : VLAN ACL
=============
VACLs can provide access control for all packets that are bridged within a VLAN (L2 level) . Unlike regular Cisco IOS ACLs that are configured on router interfaces and applied on routed packets only (L3 level), VACLs apply to all packets. and can be applied to any VLAN or WAN interface . When you configure a VACL and apply it to a VLAN, all packets that enter the VLAN are checked against this VACL.
Guidelines for the capture option in VACL.
===============================
- If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet that
comes into the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface.
- When the packet is routed to another VLAN, it is first checked against the output ACL that is applied to the routed interface, and, if permitted, the VACL configured for the destination VLAN is applied.
- If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.
First we need to specify access-list as per below :
Access list
==========
(config)# access-list 1 permit 10.1.10.0 0.0.0.255 >> standard access-list
OR
(config)#ip access−list extended HTTP_TRAFFIC >> extended access-list
(config−ext−nacl)#permit tcp 10.20.20.128 0.0.0.127 host 10.10.10.101 eq www >> HTTP Traffic from a range of hosts (10.20.20.128/25) to server 10.10.10.101
(config−ext−nacl)#exit
Also we have MAC Policy-Based Forwarding , A type of MAC-based VACL by which packets can be bridged between VLANs. based solely on the source and destination MAC addresses, ignoring any information above Layer 2.
==========
(config)# mac access-list extended SERVER
(config-ext-macl)# permit any host 1111.2222.3333 --> permit any source mac-address to access this destination
Same as Route-Map there is VLAN access-map
==========
(config)# VLAN access-map DEMO 10 >> same as route map name : DEMO , seq no. : 10
(config-access-map)# match ip address 1 >> Match ip access list 1
(config-access-map)# action forward
(config)# VLAN access-map DEMO 20
(config-access-map)# action drop
OR
(config)# vlan access−map HTTP_MAP 10
(config−access−map)# match ip address HTTP_TRAFFIC << Configures the match clause in a VLAN access map sequence
(config−access−map)# action forward capture << The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured
(config)# vlan access−map HTTP_MAP 20
(config−access−map)# action drop
Note : VACLs have an implicit deny at the end of the map
Apply the VLAN access list through VLAN Filter (VACL)
===========
(config)# VLAN filter DEMO vlan-list 10 << Applies the VLAN access map to the specified VLANs or WAN interfaces.
OR
(config)# VLAN filter HTTP_MAP vlan−list 100 << Applies the VLAN access map to the specified VLANs or WAN interfaces.
Configure the Capture Port.
===========
(config)#int fa3/30
(config−if)#switchport capture allowed vlan 100 << Filters the captured traffic on a per-destination-VLAN basis.
(config−if)#switchport capture << Configures the port to capture VACL-filtered traffic.
(config−if)#exit
To Verify the above , we have 2 show commands,
=================
show vlan access−map ---> Displays the contents of the VLAN Access Maps.
Switch# show vlan access−map HTTP_MAP
Vlan access−map "HTTP_MAP" 10
match: ip address HTTP_TRAFFIC
action: forward capture
Vlan access−map "HTTP_MAP" 20
action: drop·
show vlan filter ---> Displays information about the VLAN Filters.
Switch# show vlan filter
VLAN Map HTTP_MAP:
Configured on VLANs: 100
Active on VLANs: 100
=============================================================
2nd : VLAN based SPAN
===================
VACLs May be used like a SPAN port or network tap it is a way to replicate or copy traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis. This is useful if you want to monitor that traffic to determine the health of the application(s) running on those computer(s) or health of the network itself.
.====================
Note : VACLs are primarily not designed to monitor traffic, but, with a wide range of capability to classify the traffic, the Capture Port feature was introduced so that network traffic analysis can become much simpler.
you can use a SPAN to copy traffic to another switch interface where you can use tcpdump to record what’s happening. Let’s say your source is on F0/1. You have a Linux box plugged into F0/24 ready to capture the traffic. Here’s what you do.
(config)# monitor session 1 source interface F0/1 both << here means both IN and OUT Traffic
(config)# monitor session 1 destination interface F0/24
OR
(config)# monitor session 50 source vlan 100 , 200 << Default is to monitor both received and transmitted traffic
(config)#monitor session 50 destination interface Fa3/30
Checked Destination interfaces that is configured for monitoring and found status is UP Down
by investigating , Found the below
Notice : No input Data , Only Output Only.
Switch# sh int F0/24
FastEthernet0/24 is up, line protocol is down (monitoring) <<<<
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 618254000 bits/sec, 121492 packets/sec
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
1129155447019 packets output, 704847199066481 bytes, 0 underruns
When you configure for span, the destination port will become a monitoring port. It will be in the promiscuous mode and will listen to any packet that's being mirrored to it.
The port can be no more used for sending normal traffic.
To show the span port monitor session configured
switch#sh monitor Session 1
----------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/24
Switch#show monitor detail
Session 50
−−−−−−−−−−
Type : Local Session
Source Ports :
RX Only : None
TX Only : None
Both : NoneSource VLANs :
RX Only : None
TX Only : NoneBoth : 100,200
Source RSPAN VLAN : None
Destination Ports : Fa3/30
Filter VLANs : NoneDest RSPAN VLAN : None
There are two big things to keep in mind when doing SPANs. The first is that monitoring a port can drive CPU utilization way up (depending on the platform and traffic volume), so you may run into problems if you have a bunch of SPANs going at the same time. Related to this is the fact that, if your switch has to decide between switching and copying traffic, it will stop copying until there’s enough CPU headroom to do that safely, and you’ll lose packets in the meantime. It’s a switch — not a copier.
=====================
PACL provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic.
(perform access control on all traffic entering the specified Layer 2 port).
Note : The PACL feature does not affect Layer 2 control packets received on the port.
PACLs use the following modes:
• Prefer port mode : If a PACL is configured on a Layer 2 interface, the PACL takes effect and overwrites the effect of other ACLs (Cisco IOS ACL and VACL).
• Merge mode : In this mode, the PACL, VACL, and Cisco IOS ACLs are merged in the ingress direction. This is the default access group mode.
Switch(config-if)# access-group mode {prefer port | merge}
Switch(config-if)# no access-group mode << returns to the default value which is merge mode
Note : A PACL can be configured on a trunk port only after prefer port mode has been selected. Trunk ports do not support merge mode.
(config)# access-list 1 permit 10.1.10.0 0.0.0.255
(config-if)# ip access-group 1 in >> ip access list inbound direction only
OR
(config)# mac access-list extended SERVER
(config-ext-macl)# permit any host 1111.2222.3333
(config-if)# Mac-address-group 1 in >> Mac address group
Dear Readers, If you have any notice on what's stated above or you want to discuss something , feel free to leave a comment. Thanks :)
والله الموفق
The company, with over 50 years experience in fluid handling and level control, designs and manufactures high quality purpose built float switches and level control equipment, used in the petrochemical, oil, hydraulics, railway, coal, marine, power, chemical, waste water, food, & general engineering industries. Our products are quality designed and built to meet the challenges of liquid level control, where reliability is paramount. Check our Float Switches page for more info
ReplyDelete