User Tools

Site Tools


tech:network:cisco:acl:catalyst-acl-racl-vacl-pacl:catalyst-acl-racl-vacl-pacl

Cisco Catalyst ACL Introduction: RACL, VACL, PACL

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 5.2.a [i] VACL, PACL
          • 5.2.c [viii] PACL
    • Lab v5.0
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 4.2.a [i] VACL, PACL
          • 4.2.c [vii] PACL

Foundation

  1. PACL(Port ACL)
  2. VACL(VLAN ACL)
  3. RACL(Router ACL)

RACL

Configuration

  • SW1
configure terminal
!
ip routing
!
vtp mode transparent
!
vlan 128
 name sales
exit
!
interface Vlan 128
 ip address 10.0.128.1 255.255.255.0
 no shutdown
 ip access-group 102 out
exit
!
interface FastEthernet 1/0/4
 no switchport
 ip address 10.0.129.1 255.255.255.0
 ip access-group 101 in
exit
!
interface FastEthernet 1/0/5
 switchport mode access
 switchport access vlan 128
exit
!
access-list 101 permit tcp any any eq www
access-list 102 permit tcp any host 10.0.128.254 eq www
!
end

Verification

Console Log

VACL

Base Configuration

  • SW1
configure terminal
!
ip routing
!
vtp mode transparent
!
vlan 128
 name sales
exit
!
interface Vlan 128
 ip address 10.0.128.1 255.255.255.0
 no shutdown
exit
!
interface FastEthernet 1/0/1
 switchport mode access
 switchport access vlan 128
exit
!
interface FastEthernet 1/0/4
 no switchport
 ip address 10.0.129.1 255.255.255.0
exit
!
interface FastEthernet 1/0/5
 switchport mode access
 switchport access vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.101 255.255.255.0
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
 privilege level 15
 password kotone
 login
exit
!
end

Configuration

  • SW1
configure terminal
!
ip access-list extended A-TCP
 permit tcp host 10.0.128.101 host 10.0.128.254
 permit tcp host 10.0.129.192 host 10.0.128.254
exit
!
ip access-list extended A-IP
 permit ip any any
exit
!
vlan access-map V-MAP 10
 match ip address A-TCP
 action drop
exit
!
vlan access-map V-MAP 20
 match ip address A-IP
 action forward
exit
!
vlan filter V-MAP vlan-list 128
!
end

above configuration equivalent following configuration.

  • SW1
configure terminal
!
ip access-list extended A-TCP
 permit tcp host 10.0.128.101 host 10.0.128.254
 permit tcp host 10.0.129.192 host 10.0.128.254
exit
!
vlan access-map V-MAP 10
 match ip address A-TCP
 action drop
exit
!
vlan access-map V-MAP 20
 action forward
exit
!
vlan filter V-MAP vlan-list 128
!
end

Verification

Console Log

Console Log

PACL

Base Configuration

  • SW1
configure terminal
!
ip routing
!
vtp mode transparent
!
vlan 128
 name sales
exit
!
interface Vlan 128
 ip address 10.0.128.1 255.255.255.0
 no shutdown
exit
!
interface FastEthernet 1/0/1
 switchport mode access
 switchport access vlan 128
exit
!
interface FastEthernet 1/0/4
 no switchport
 ip address 10.0.129.1 255.255.255.0
exit
!
interface FastEthernet 1/0/5
 switchport mode access
 switchport access vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.101 255.255.255.0
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
 privilege level 15
 password kotone
 login
exit
!
end

Configuration

configure terminal
!
ip access-list extended A-TCP1
 deny tcp host 10.0.129.192 host 10.0.128.101
 permit ip any any
exit
!
ip access-list extended A-TCP2
 deny tcp host 10.0.128.101 host 10.0.128.254
 permit ip any any
exit
!
interface FastEthernet 1/0/4
 ip access-group A-TCP1 in
exit
!
interface FastEthernet 1/0/1
 ip access-group A-TCP2 in
exit
!
end

Verification

Console Log

References

tech/network/cisco/acl/catalyst-acl-racl-vacl-pacl/catalyst-acl-racl-vacl-pacl.txt · Last modified: 2019/09/07 15:32 by wnoguchi