= Cisco VLAN Access Lists
This page is to give a basic view on how to configure access lists on VLANs on Cisco switches. This page is created with [[nimnetwork]] in mind, the ports are defined as for this purpose.
= How to create a vlan
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Vlan database
Vlan name
Exit
= Adding ip adres to the vlan:
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Conf t (Configuration Terminal)
Interface vlan
Ip address x.x.x.x x.x.x.x
No shutdown (activates the vlan)
Exit
== Vlan check
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
show vlan
or
Show ip interface brief
Also, you can issue
show run
Or, when you're configuration levels lower:
do show run
= Adding acces-list to a vlan:
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Conf t (Configuration Terminal)
Interface vlan
Ip access-group in
Ip access-group out
ip helper-address
**NOTE**
> in
>> This defines access control on packets transmitted from the host. These packets are received into the router interface.
> out
>> This defines access control on packets being sent to the host. These packets are transmitted out of the router interface. The default is out.
= Adding the access-list to the Switch:
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Conf t (Configuration Terminal)
Enter the access-list (from your favorite text editor)
== Access lists check
show access-lists
show access-lists | include Extended
= Access List Example NIM
NIM Server: 10.10.3.7
NIM Client: 10.11.1.2 (VLAN 29)
DNS Server: 10.10.10.100
vlan database
vlan 29 name nimnetworkvlan
exit
conf t
interface vlan 29
ip address 10.11.1.1 255.255.0.0
no shutdown
ip access-group 128 in
ip access-group 129 out
ip helper-address 10.10.3.7
exit
access-list 128 permit icmp any any
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.3.7
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1058
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1059
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 2049
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3901
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3902
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 32774
access-list 128 permit tcp any any established
access-list 128 deny ip any any
access-list 129 permit icmp any any
access-list 129 permit udp host 10.10.10.100 host 10.11.1.2
access-list 129 permit udp host 10.10.10.101 host 10.11.1.2
access-list 129 permit ip host 10.1.3.7 host 10.11.1.2
access-list 129 permit tcp any any established
access-list 129 deny ip any any
=== Access list block
We got these errors so that's why we opened udp:
list 128 denied udp 10.11.1.2(16799) -> 10.10.3.7(52186), 5 packets
list 128 denied udp 10.11.1.2(24412) -> 10.10.3.7(52187), 5 packets
list 128 denied udp 10.11.1.2(32024) -> 10.10.3.7(52188), 5 packets
list 128 denied tcp 10.11.1.2(32024) -> 10.10.3.7(32774), 5 packets
=== Logging
In order to find what packets are blocked change the deny line like this:
access-list 128 deny ip any any log
access-list 129 deny ip any any log
and issue this command on the switch console:
term mon
= Remove created VLAN =
switch#vlan database
% Warning: It is recommended to configure VLAN from config mode,
as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.
switch(vlan)#
switch(vlan)#no vlan 216
Deleting VLAN 216...
switch(vlan)#exit
APPLY completed.
Exiting....
{{tag>network cisco aix}}