Cisco CCIE R&S - VACLs and PACLs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
think about a multi-layer switch this switch can do a lot when it comes to access control lists we can have on the layer three ports rekkles or router access control lists but what we want to explore in this particular nugget is access control lists applied to a layer 2 switch port we call these Pacal's or port access control lists and then how about if we take an ACL and apply it to an entire VLAN those are called Vakil or VLAN based access control lists some literature will also refer to them as VLAN access maps and we'll see exactly why that is in this particular nugget so we have an access control list we place it on a layer 2 switch port and we are dealing with a poor access control list that's the terminology what types of ACLs are supported on the layer 2 switch port on a catalyst switch well we can have a standard IP we could have an extended IP ACL or we could have a Mac extended access control list you might wonder if you're allowed to do like one of each and the answer is yes you can absolutely do that so we could go in and we could do like on ingress an extended IP and then we could also do on ingress a Mac extended access control list but only one of those types per interface per direction as you might guess if you were to add another Mac extended in the same direction it would overwrite the one that is existing on that particular port in the particular direction so great news for you cisco viral lovers out there the latest version supports these port access control lists so we can experiment with them in the emulator here I have a topology our one connected to switch one trunked over to switch to then connected to r2 we have VLAN 100 running here between these devices so let me go to our one and let me ensure that I can ping r2 at 10 10 10 2 across the switches and we see that works perfectly let's also check out the MAC address on the r1 device so I'll do show interface gigabit 0 / 1 and we see the MAC address on this particular device is let's find it it is ending in six zero six nine all right well let's slide over to the switch now if we look on this switch - and we look at the MAC address table we see we are learning that MAC address of course of our one on the gigabit 0/1 interface this is the interface that trunks over to switch one so let's have some fun blocking this particular host based on MAC address here in the topology we'll go in and we'll do Mac access list extended and we'll say p ACL underscore l2 will then deny the host at this specific MAC address this is the source address so I'll copy and paste that in and we'll say going to anywhere we need to permit of course any other layer to traffic here and now we'll exit this extended Mac access list and we'll go to the gigabit 0/1 interface and we'll say Mac access group PA CL underscore l2 and this can only be done ingress this particular access control list so we'll do it ingress on that interface we will end the configuration and now we will go to r1 and try that ping again so here we are on r1 we retry that ping and it does not look like that ping is successful now think of how tricky this would be to catch in a troubleshooting scenario yeah you would look at the configuration of r1 you would look at the configuration of r2 and everything looks absolutely perfect if you look at the basic layer 2 configurations on the switches you might not catch that we are filtering here based on layer 2 MAC address so we really need verification though that it was the switches configuration that did the job here and that's easy to verify we can do a show access list on the switch we see that there is our extended Mac access list name PA CL underscore l2 and that our deny entry does have the five matches for those 5 ping attempts and we can see we're matching all kinds of incoming layer 2 traffic from switch 1 and now we're ready to look at VLAN access control lists or VLAN access maps a lot of people love to call them VLAN access maps because that's the syntax we use to create them and as you can see they follow the logic of route maps these are great because they'll apply to all ports of a particular VLAN including any future ports that you might be adding to a particular VLAN let's make sure we can construct these and test these at the command line so we slide over to rental equipment thanks to giggle of velocity comm thank you so much giga velocity and of course we're making this adjustment because VLAN access maps are indeed coming to viral but as of the very moment of this recording they haven't made it there yet so here on r3 we're going to make sure that we can tell net to r1 for example so here we go tell that 10-10-10 one and we see we can tell that into our one just fine well let's experiment with our VLAN access control lists and let's kill telnet for VLAN 100 I know what you're thinking you want to kill telnet period nope for our purposes we'll pick on just a VLAN to take advantage of this functionality so we go over to switch 3 in this example and the first thing that we do is we create an access list an extended access list I'll name it ACL underscore telnet and what you always do is you do a permit why you're doing always a permit even though we subsequently are going to deny the traffic is the ACL is just for identifying the traffic so we'll say Oh any telnet traffic in our access list there we go next we'll construct our VLAN access map think of a route map and you'll be great it's similar structure and logic so I say VLAN access map I'll name it V ACL underscore telnet and we give a sequence number and what we want to do is match there are two important things we can match on as we discussed earlier IP and Mac based matching so we'll match on IP address and it's of course ACL underscore telnet next we specify the action we want to drop that traffic now if you're thinking in terms of route maps you realize that we have to do another statement i'll number at 20 and we have to do an action of forward this is of course overriding the implicit deny that would end this structure causing us to drop all of our IP traffic forms in the infrastructure that would be a bad thing think about doing this at the Mac level you would end up stopping things like ARP from functioning so we have to remember the logic of route maps when we're working here but all this hard work I did is doing nothing because we haven't applied it to anything so we'll say VLAN filter my filter is called V ACL underscore telnet and the VLAN list that we're applying this to is 100 so we look at our topology and we realize we have this filter in place on switch 3 it should definitely prevent the telnet that we just did a moment ago right that was on our three tell netting to r1 this better not work now and it doesn't it does not work now it just struck me that I consistently changed the color scheme of the consoles and that's because of course different students campaign for different color schemes my favorite has always been the green on black and it's because it looks like I'm working on something really really important all right well anyways this is not gonna work now a question comes in here what about tell netting from R 1 to R 5 after all switch 1 doesn't possess the VLAN access map or VLAN access control lists configuration so let's see what's gonna happen there I'm gonna tell net to 10 10 10.5 oh and it's gonna work just fine so clearly we need to take the configuration from switch 3 and we need to replicate that on all of the switches participating in VLAN 100 in order to make the VLAN access map logic apply to every potential port participating in VLAN 100 which is our goal notice this still gives a scalability as we add ports to VLAN 100 on the different devices so in this important nugget we took a look at the ways in which we can manipulate data plane traffic on our multi-layer catalyst switches I did create a post for you summarizing these many options and that is available at ajs networking.com if you were to search on PA CL for example you would have your document I sure hope this nugget was informative for you and I'd like to thank you for viewing
Info
Channel: Anthony Sequeira
Views: 8,402
Rating: undefined out of 5
Keywords: ccie, cisco, certification, training
Id: L0vmJL0WuIQ
Channel Id: undefined
Length: 11min 35sec (695 seconds)
Published: Sat Jul 15 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.