[[Cisco VLAN Access Lists]]
 
Trace: » Cisco Radius Authenticatie » 7Customizer » Moving To A New Website » Cisco VLAN Access Lists
Table of Contents

Cisco VLAN Access Lists

This page is to give a basic view on how to configure access lists on VLANs on Cisco switches. This page is created with AIX NIM Network in mind, the ports are defined as for this purpose.

How to create a vlan

Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Vlan database
Vlan <vlan#> name <vlanname>
Exit

Adding ip adres to the vlan:

Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip address x.x.x.x  x.x.x.x
No shutdown (activates the vlan)
Exit

Vlan check

Log into the vlan database switch (core switch) with level 15 access and issue these commands:
show vlan

or

Show ip interface brief

Also, you can issue

show run

Or, when you're configuration levels lower:

do show run

Adding acces-list to a vlan:

Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip access-group <access-list#> in
Ip access-group <access-list#> out
ip helper-address <ipaddressbootp/dhcpserver>

NOTE

in
This defines access control on packets transmitted from the host. These packets are received into the router interface.

out

This defines access control on packets being sent to the host. These packets are transmitted out of the router interface. The default is out.

Adding the access-list to the Switch:

Log into the vlan database switch (core switch) with level 15 access and issue these commands:
Conf t (Configuration Terminal)
Enter the access-list (from your favorite text editor)

Access lists check

show access-lists
show access-lists | include Extended

Access List Example NIM

NIM Server: 10.10.3.7
NIM Client: 10.11.1.2 (VLAN 29)
DNS Server: 10.10.10.100
vlan database
vlan 29 name nimnetworkvlan
exit
conf t
interface vlan 29
ip address 10.11.1.1 255.255.0.0
no shutdown
ip access-group 128 in
ip access-group 129 out
ip helper-address 10.10.3.7
exit
access-list 128 permit icmp any any
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.3.7
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1058
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1059
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 2049
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3901
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3902
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 32774
access-list 128 permit tcp any any established
access-list 128 deny ip any any
access-list 129 permit icmp any any
access-list 129 permit udp host 10.10.10.100 host 10.11.1.2
access-list 129 permit udp host 10.10.10.101 host 10.11.1.2
access-list 129 permit ip host 10.1.3.7 host 10.11.1.2
access-list 129 permit tcp any any established
access-list 129 deny ip any any

Access list block

We got these errors so that's why we opened udp:
list 128 denied udp 10.11.1.2(16799) -> 10.10.3.7(52186), 5 packets
list 128 denied udp 10.11.1.2(24412) -> 10.10.3.7(52187), 5 packets
list 128 denied udp 10.11.1.2(32024) -> 10.10.3.7(52188), 5 packets
list 128 denied tcp 10.11.1.2(32024) -> 10.10.3.7(32774), 5 packets

Logging

In order to find what packets are blocked change the deny line like this:
access-list 128 deny ip any any log
access-list 129 deny ip any any log

and issue this command on the switch console:

term mon
,

Discussion

Enter your comment:
 
ciscovlanaccesslists.txt · Last modified: 2010/08/26 10:55 by sjoerd