SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

ciscovlanaccesslists

Cisco VLAN Access Lists

This page is to give a basic view on how to configure access lists on VLANs on Cisco switches. This page is created with AIX NIM Network in mind, the ports are defined as for this purpose.

How to create a vlan

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Vlan database
Vlan <vlan#> name <vlanname>
Exit

Adding IP Address to The Vlan

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip address x.x.x.x  x.x.x.x
No shutdown (activates the vlan)
Exit

Vlan Check

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

show vlan

or

Show ip interface brief 

Also, you can issue

show run

Or, when you're configuration levels lower:

do show run

Adding Acces-List To a Vlan

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip access-group <access-list#> in
Ip access-group <access-list#> out
ip helper-address <ipaddressbootp/dhcpserver>

NOTE

in
This defines access control on packets transmitted from the host. These packets are received into the router interface.

out

This defines access control on packets being sent to the host. These packets are transmitted out of the router interface. The default is out.

Adding The Access-List to The Switch

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Conf t (Configuration Terminal)
Enter the access-list (from your favorite text editor)

Access Lists Check

show access-lists
show access-lists | include Extended

Access List Example NIM

  • NIM Server: 10.10.3.7
  • NIM Client: 10.11.1.2 (VLAN 29)
  • DNS Server: 10.10.10.100
vlan database
vlan 29 name nimnetworkvlan
exit
conf t
interface vlan 29
ip address 10.11.1.1 255.255.0.0
no shutdown
ip access-group 128 in
ip access-group 129 out
ip helper-address 10.10.3.7
exit
access-list 128 permit icmp any any
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.3.7
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1058
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1059
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 2049
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3901
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3902
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 32774
access-list 128 permit tcp any any established
access-list 128 deny ip any any
access-list 129 permit icmp any any
access-list 129 permit udp host 10.10.10.100 host 10.11.1.2
access-list 129 permit udp host 10.10.10.101 host 10.11.1.2
access-list 129 permit ip host 10.1.3.7 host 10.11.1.2
access-list 129 permit tcp any any established
access-list 129 deny ip any any

Access List Block

We got these errors so that's why we opened udp:

list 128 denied udp 10.11.1.2(16799) -> 10.10.3.7(52186), 5 packets
list 128 denied udp 10.11.1.2(24412) -> 10.10.3.7(52187), 5 packets
list 128 denied udp 10.11.1.2(32024) -> 10.10.3.7(52188), 5 packets
list 128 denied tcp 10.11.1.2(32024) -> 10.10.3.7(32774), 5 packets

Logging

In order to find what packets are blocked change the deny line like this:

access-list 128 deny ip any any log
access-list 129 deny ip any any log

and issue this command on the switch console:

term mon

Remove created VLAN

switch#vlan database
% Warning: It is recommended to configure VLAN from config mode,
  as VLAN database mode is being deprecated. Please consult user
  documentation for configuring VTP/VLAN in config mode.

switch(vlan)#
switch(vlan)#no vlan 216
Deleting VLAN 216...
switch(vlan)#exit
APPLY completed.
Exiting....
You could leave a comment if you were logged in.
ciscovlanaccesslists.txt · Last modified: 2021/09/24 00:24 (external edit)