SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


ciscovlanaccesslists
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ciscovlanaccesslists [2013/02/25 20:07] (current)
sjoerd created
Line 1: Line 1:
 += Cisco VLAN Access Lists =
 +This page is to give a basic view on how to configure access lists on VLANs on Cisco switches. This page is created with [[nimnetwork]] in mind, the ports are defined as for this purpose.
  
 += How to create a vlan =
 +Log into the vlan database switch (core switch) with level 15 access and issue these commands:
 +<​code>​
 +Vlan database
 +Vlan <​vlan#>​ name <​vlanname>​
 +Exit
 +</​code>​
 +
 += Adding IP Address to The Vlan =
 +Log into the vlan database switch (core switch) with level 15 access and issue these commands:
 +<​code>​
 +Conf t  (Configuration Terminal)
 +Interface vlan <​vlan#>​
 +Ip address x.x.x.x ​ x.x.x.x
 +No shutdown (activates the vlan)
 +Exit
 +</​code>​
 +
 +== Vlan Check ==
 +Log into the vlan database switch (core switch) with level 15 access and issue these commands:
 +<​code>​
 +show vlan
 +</​code>​
 +or
 +<​code>​
 +Show ip interface brief 
 +</​code>​
 +Also, you can issue
 +<​code>​
 +show run
 +</​code>​
 +Or, when you're configuration levels lower:
 +<​code>​
 +do show run
 +</​code>​
 +
 += Adding Acces-List To a Vlan =
 +Log into the vlan database switch (core switch) with level 15 access and issue these commands:
 +<​code>​
 +Conf t  (Configuration Terminal)
 +Interface vlan <​vlan#>​
 +Ip access-group <​access-list#>​ in
 +Ip access-group <​access-list#>​ out
 +ip helper-address <​ipaddressbootp/​dhcpserver>​
 +</​code>​
 +
 +**NOTE**
 +> in
 +>> This defines access control on packets transmitted from the host. These packets are received into the router interface.
 +> out
 +>> This defines access control on packets being sent to the host. These packets are transmitted out of the router interface. The default is out.
 +
 += Adding The Access-List to The Switch =
 +Log into the vlan database switch (core switch) with level 15 access and issue these commands:
 +<​code>​
 +Conf t (Configuration Terminal)
 +Enter the access-list (from your favorite text editor)
 +</​code>​
 +
 +== Access Lists Check ==
 +
 +<​code>​
 +show access-lists
 +show access-lists | include Extended
 +</​code>​
 +
 += Access List Example NIM =
 +* NIM Server: 10.10.3.7
 +* NIM Client: 10.11.1.2 (VLAN 29)
 +* DNS Server: 10.10.10.100
 +
 +<​code>​
 +vlan database
 +vlan 29 name nimnetworkvlan
 +exit
 +conf t
 +interface vlan 29
 +ip address 10.11.1.1 255.255.0.0
 +no shutdown
 +ip access-group 128 in
 +ip access-group 129 out
 +ip helper-address 10.10.3.7
 +exit
 +access-list 128 permit icmp any any
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.10.100 eq 53
 +access-list 128 permit udp host 10.11.1.2 host 10.10.10.100 eq 53
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.10.101 eq 53
 +access-list 128 permit udp host 10.11.1.2 host 10.10.10.101 eq 53
 +access-list 128 permit udp host 10.11.1.2 host 10.10.3.7
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1058
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1059
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 2049
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3901
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3902
 +access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 32774
 +access-list 128 permit tcp any any established
 +access-list 128 deny ip any any
 +access-list 129 permit icmp any any
 +access-list 129 permit udp host 10.10.10.100 host 10.11.1.2
 +access-list 129 permit udp host 10.10.10.101 host 10.11.1.2
 +access-list 129 permit ip host 10.1.3.7 host 10.11.1.2
 +access-list 129 permit tcp any any established
 +access-list 129 deny ip any any
 +</​code>​
 +
 +=== Access List Block ===
 +We got these errors so that's why we opened udp:
 +<​code>​
 +list 128 denied udp 10.11.1.2(16799) -> 10.10.3.7(52186),​ 5 packets
 +list 128 denied udp 10.11.1.2(24412) -> 10.10.3.7(52187),​ 5 packets
 +list 128 denied udp 10.11.1.2(32024) -> 10.10.3.7(52188),​ 5 packets
 +list 128 denied tcp 10.11.1.2(32024) -> 10.10.3.7(32774),​ 5 packets
 +</​code>​
 +
 +=== Logging ===
 +In order to find what packets are blocked change the deny line like this:
 +<​code>​
 +access-list 128 deny ip any any log
 +access-list 129 deny ip any any log
 +</​code>​
 +and issue this command on the switch console:
 +<​code>​
 +term mon
 +</​code>​
 +
 += Remove created VLAN =
 +
 +<​code>​
 +switch#vlan database
 +% Warning: It is recommended to configure VLAN from config mode,
 +  as VLAN database mode is being deprecated. Please consult user
 +  documentation for configuring VTP/VLAN in config mode.
 +
 +switch(vlan)#​
 +switch(vlan)#​no vlan 216
 +Deleting VLAN 216...
 +switch(vlan)#​exit
 +APPLY completed.
 +Exiting....
 +</​code>​
 +
 +{{tag>​network cisco aix}}
ciscovlanaccesslists.txt ยท Last modified: 2013/02/25 20:07 by sjoerd