I am trying to figure out how ACLs applied on a Trunk port work.
We have a Core switch that is doing Inter VLAN routing, and behind that switch are numerous other regular switches. The core switch holds the routing table. This is a very basic configuration.
CoreSwitch
|
|(trunk)
|
Switch1
|...........\
|............\(trunk)
|.............\
Switch2...Switch3
We applied an ACL on Switch1 going to Switch2 to allow only certain VLANs to pass through.
We tested this concept and apparently it works. My question is, how is that possible as Switch1 is only a regular Cisco switch with no routing enabled on it? The ports are being trunked.
(periods are used for space)
- Follow via:
- RSS
- Email Alert
Question
Answers (2)
0
Votes
What does that acl
look like? I usually restrict vlans on a trunk with the "switchport trunk allowed vlan" configuration command.
30th Nov 2009
Replies
No, unfortunately we cannot do "switchport trunk allowed vlan" because we cannot restrict all the users on the vlan.
More information: we have a very flat network with no routing protocol. All the switches under the core switch are running RPVST.
Switch2:
Extended IP access list BLACKOUT
10 permit ip 10.1.1.0 0.0.0.255 any
20 permit ip 10.1.2.3 255.255.255.255 any
30 permit ip 10.1.3.2 255.255.255.255 any
40 deny ip any any
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
ip access-group BLACKOUT in
More information: we have a very flat network with no routing protocol. All the switches under the core switch are running RPVST.
Switch2:
Extended IP access list BLACKOUT
10 permit ip 10.1.1.0 0.0.0.255 any
20 permit ip 10.1.2.3 255.255.255.255 any
30 permit ip 10.1.3.2 255.255.255.255 any
40 deny ip any any
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
ip access-group BLACKOUT in
kidica
30th Nov 2009
In your original post you said you applied the acl on switch1 but this post shows it on switch2. Which switch(s) are the acls applied to? Also, are any of the layer 2 switches eunning the EI (enhanced) image?
The enhanced images do support a subset of the layer 3 functions.
The enhanced images do support a subset of the layer 3 functions.
NetMan1958
30th Nov 2009
As for enhanced image??? how do i found out? I know all the switches have routing capability, but only the CoreSwitch1 is doing the packet switching.
kidica
3rd Dec 2009
To check which image a switch is running:
******************************************
SW2950#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA6, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 01:59 by yenanh
Image text-base: 0x80010000, data-base: 0x80568000
ROM: Bootstrap program is C2950 boot loader
SW2950 uptime is 2 weeks, 3 days, 16 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA6.bin"
cisco WS-C2950-12 (RC32300) processor (revision R0) with 21013K bytes of memory.
Processor board ID FOC1004Z8X6
Last reset from system-reset
Running Standard Image
*********************************************
As you can see by the last line above, this switch is running the standard image, if it was running the enhanced image it would state that.
******************************************
SW2950#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA6, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 01:59 by yenanh
Image text-base: 0x80010000, data-base: 0x80568000
ROM: Bootstrap program is C2950 boot loader
SW2950 uptime is 2 weeks, 3 days, 16 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA6.bin"
cisco WS-C2950-12 (RC32300) processor (revision R0) with 21013K bytes of memory.
Processor board ID FOC1004Z8X6
Last reset from system-reset
Running Standard Image
*********************************************
As you can see by the last line above, this switch is running the standard image, if it was running the enhanced image it would state that.
NetMan1958
3rd Dec 2009
It's not enhanced. but that shouldn't matter whether or not it is. Unless I'm wrong.
kidica
3rd Dec 2009
I just took another look at that access list and noticed something. Is this the intent of the acl?
(1) allow all traffic from the 10.1.1.0 subnet
(2) allow traffic from host 10.1.2.3 only
(3) allow traffic from host 10.1.3.2 only
(4) deny all other traffic
If so, is it working?
The reason I ask is because of the wildcard mask in the 2 lines:
20 permit ip 10.1.2.3 255.255.255.255 any
30 permit ip 10.1.3.2 255.255.255.255 any
Those 2 lines both have an "all ones" wildcard mask. In a wildcard mask the ones are the "I don't care" bits so technically both of thos lines should allow all traffic.
(1) allow all traffic from the 10.1.1.0 subnet
(2) allow traffic from host 10.1.2.3 only
(3) allow traffic from host 10.1.3.2 only
(4) deny all other traffic
If so, is it working?
The reason I ask is because of the wildcard mask in the 2 lines:
20 permit ip 10.1.2.3 255.255.255.255 any
30 permit ip 10.1.3.2 255.255.255.255 any
Those 2 lines both have an "all ones" wildcard mask. In a wildcard mask the ones are the "I don't care" bits so technically both of thos lines should allow all traffic.
NetMan1958
3rd Dec 2009
I didn't copy our ACL word by word but that is the intent.
(1) allow all traffic from the 10.1.1.0 subnet
(2) allow traffic from host 10.1.2.3 only
(3) allow traffic from host 10.1.3.2 only
(4) deny all other traffic
What I am getting at is the CoreSwitch should be the only one doing the routing or inter-vlan routing while the regular switches should just be passing along the frames. How is it possible that when I applied the ACL on the trunk interface of Switch2 that the ACL works. Basically switches should not be able to work with ACLs when using IP's unless they are commited to routing.
(1) allow all traffic from the 10.1.1.0 subnet
(2) allow traffic from host 10.1.2.3 only
(3) allow traffic from host 10.1.3.2 only
(4) deny all other traffic
What I am getting at is the CoreSwitch should be the only one doing the routing or inter-vlan routing while the regular switches should just be passing along the frames. How is it possible that when I applied the ACL on the trunk interface of Switch2 that the ACL works. Basically switches should not be able to work with ACLs when using IP's unless they are commited to routing.
kidica
3rd Dec 2009
Lower end layer 2 switches don't support acls but some of the higher-end switches such as Cisco do. On a layer 2 switch they are "port acls" and can only be applied to the inbound packets. See this article:
http://www.informit.com/articles/article.aspx?p=1181682&seqNum=4
http://www.informit.com/articles/article.aspx?p=1181682&seqNum=4
NetMan1958
4th Dec 2009
Although illogical from what I have learned about layer 2 switches. Oh well...
Port ACL
Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended.
Processing of the Port ACL is similar to that of the Router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL.
When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
The main benefit with Port ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved?that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time.
NOTE
Port ACLs are not supported on EtherChannel interfaces.
Port ACL
Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended.
Processing of the Port ACL is similar to that of the Router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL.
When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
The main benefit with Port ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved?that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time.
NOTE
Port ACLs are not supported on EtherChannel interfaces.
kidica
4th Dec 2009
0
Votes
By default VLANs don't pass traffic to other VLANs
unless you route traffic between them using a layer 3 device.
So in reality what your ACL is doing is allowing VLANs to talk to each other through routing. Has nothing to do with "regular" swtiche capabilities. If you hook up 2 "regular" switches and create different VLANs, the different VLans won't talk to each other until you configure a routing device to route traffic between them. Even on trunk ports. Trunk ports just allow hosts in same VLANs located on seperate physical switches to pass traffic. Not route between different VLANs.
So in reality what your ACL is doing is allowing VLANs to talk to each other through routing. Has nothing to do with "regular" swtiche capabilities. If you hook up 2 "regular" switches and create different VLANs, the different VLans won't talk to each other until you configure a routing device to route traffic between them. Even on trunk ports. Trunk ports just allow hosts in same VLANs located on seperate physical switches to pass traffic. Not route between different VLANs.
Updated - 30th Nov 2009
Replies
It's a Cisco 3750 with routing capabilities. We're doing inter-vlan routing. but no routing protocols.
kidica
30th Nov 2009
