Lab 2.9.
4 Catalyst 2950 and 3550 Series Intra-VLAN Security
Objective
Configure intra-VLAN security with Access Control Lists (ACLs) using the command-line interface
(CLI) mode.
Scenario
This lab will cover how to configure basic network security on a switch by using Access Control Lists
(ACLs). This will require an enhanced software image to be installed on the switch.
The 3550 switch supports two types of ACL. The first type is IP ACLs. This type filters IP traffic
including, TCP, UDP, IGMP, and ICMP. The second type is Ethernet ACLs that filter non-IP traffic.
The 2950 switch supports only IP ACLs.
1-5
CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4
Copyright 2003, Cisco Systems, Inc.
�The 3550 switch supports two applications of ACLs to filter traffic, router ACLs and VLAN ACLs or
VLAN maps. The 2950 switch supports only router ACLs.
Router ACLs access-control routed traffic between VLANs. The enhanced multilayer switch image is
required for this to work. Router ACLs can be applied on switch virtual interfaces (SVIs). These SVIs
are Layer 3 interfaces to VLANs, on physical Layer 3 interfaces, and on Layer 3 EtherChannel
interfaces. Router ACLs are applied on interfaces for specific directions whether inbound or
outbound.
VLAN ACLs or VLAN maps access-control all packets, bridged and routed. VLAN maps can be used
to filter traffic between devices in the same VLAN. The enhanced image is not required to create or
apply VLAN maps. VLAN maps are configured to provide access-control, which is based on Layer 3
addresses for IP. Unsupported protocols are access-controlled through MAC addresses using
Ethernet access control entries (ACEs).
When a VLAN map is applied to a VLAN, all packets that enter the VLAN will be checked against the
VLAN map. All packets, those routed or bridged, are checked. Packets can enter the VLAN through
a switch port. They can also enter through a routed port after being routed.
VLAN maps can access-control all traffic. VLAN maps can be applied on the switch to all packets
that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are used strictly for
security packet filtering. Unlike router ACLs, VLAN maps are not defined by input or output.
VLAN maps can be configured to match Layer 3 addresses for IP traffic. All non-IP protocols are
access-controlled through MAC addresses and Ethertype using MAC VLAN maps. IP traffic is not
access-controlled by MAC VLAN maps. VLAN maps can be enforced only on packets going through
the switch. VLAN maps cannot be enforced on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding of packets is either permitted or denied. This will be based on the
action specified in the map.
Step 1
If the same switches and setup from Lab 2.9.3 are used, verify connectivity with a ping between
switches and between workstations. When done, then continue with Step 2.
If different set of switches is used, it is necessary to insure there are no inappropriate VTP, VLAN
information, or other configurations present. Disconnect any cables from the switches and power up
the switches. Delete the startup configuration and the VLAN database (vlan.dat). Then reload the
switches and cable the lab according to the lab diagram. Finally, load the configurations from Lab
2.9.3.
Enable VLAN 1 on all switches with the no shutdown interface command.
On DLSwitchA, enter the VTP domain name to enable VTP and pruning. Then reenter the VLAN
names as follows:
DLSwitchA#vlan database
DLSwitchA(vlan)#vtp domain corp
Changing VTP domain name from NULL to corp
DLSwitchA(vlan)#vtp pruning
Pruning switched ON
DLSwitchA(vlan)#vlan 10 name Accounting
VLAN 10 added:
Name: Accounting
DLSwitchA(vlan)#vlan 20 name Marketing
VLAN 20 added:
Name: Marketing
DLSwitchA(vlan)#exit
APPLY completed.
Exiting....
2-5
CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4
Copyright 2003, Cisco Systems, Inc.
�Although it is not absolutely necessary, reset ALSwitchA1 and ALSwitchA2 to the VTP client mode
by issuing the following commands:
ALSwitchA1#vlan database
ALSwitchA1(vlan)#vtp client
Setting device to VTP CLIENT mode.
ALSwitchA1(vlan)#exit
In CLIENT state, no apply attempted.
Exiting....
ALSwitchA2#vlan database
ALSwitchA2(vlan)#vtp client
Setting device to VTP CLIENT mode.
ALSwitchA2(vlan)#exit
In CLIENT state, no apply attempted.
Exiting....
Verify connectivity with a ping between switches and between workstations.
Sample outputs in this lab are based upon the continuation of this lab from Lab 2.9.3 using the same
switches and setup. If different switches are used and the Lab 2.9.3 configurations were loaded on
these switches, the output may appear slightly different. However, it will not impact successful
completion of this lab.
Step 2
Connect a router to port 5 of the DLSwitchA to simulate a file server and configure as follows:
Router#configure terminal
Router(config)#hostname Server
Server(config)#ip http server
Server(config)#interface FastEthernet0/0
Server(config-if)#ip address 10.1.2.30 255.255.255.0
Server(config-if)#no shutdown
Server(config-if)#line console 0
Server(config-line)#password cisco
Server(config-line)#login
Server(config-line)#line vty 0 4
Server(config-line)#password cisco
Server(config-line)#login
Server(config-line)#^z
Verify connectivity with a ping between the Management VLANs of the switches, between
workstations, and between the workstations and router. All ping attempts should be successful.
Step 3
Issue the following to deny ICMP ping access from Workstation A to the server that has an ACL in
DLSwitchA:
DLSwitchA#configure terminal
DLSwitchA(config)#access-list 101 deny icmp host 10.1.2.10 host 10.1.2.30
echo
DLSwitchA(config)#access-list 101 permit ip any any
DLSwitchA(config)#interface FastEthernet 0/5
DLSwitchA(config-if)#ip access-group 101 in
DLSwitchA(config-if))#^z
The ICMP ping traffic from Workstation A to the server should now be blocked.
Test the ACL with a ping from Workstation A to the Server (10.1.2.30). The ping should fail.
3-5
CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4
Copyright 2003, Cisco Systems, Inc.
�1. Should a ping from the server to Workstation A (10.1.2.10) be successful? Why?
________________________________________________________________________________
________________________________________________________________________________
Verify with a ping from the server to Workstation A (10.1.2.10).
2. Should a ping from the server to Workstation B (10.1.2.20) be successful? Why?
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
Verify with a ping from the Server to Workstation B (10.1.2.20).
3. Should a ping from Workstation A to Workstation B and another ping back from Workstation
B to Workstation A be successful? Why?
________________________________________________________________________________
Verify with a ping from Workstation A (10.1.2.10) to Workstation B (10.1.2.20) or with a ping from
Workstation B (10.1.2.20) to Workstation A (10.1.2.10).
Step 4
Issue the following to remove the first access list from the DLSwitchA. Then create another one that
will deny Telnet and HTTP access to the server from Workstation B:
DLSwitchA#configure terminal
DLSwitchA(config)#no access-list 101
DLSwitchA(config)#access-list 101 deny tcp host 10.1.2.20 host 10.1.2.30 eq
telnet
DLSwitchA(config)#access-list 101 deny tcp host 10.1.2.20 host 10.1.2.30 eq
www
DLSwitchA(config)#access-list 101 permit ip any any
DLSwitchA(config-if))#^z
It is not necessary to reapply the access list to interface FastEthernet 0/5.
A ping from Workstation A to the server (10.1.2.30) should now be successful, because the first
access list is no longer applicable. Verify this with a ping.
Step 5
Test the new ACL. Attempt to telnet from Workstation B to the server (10.1.2.30), then open a web
browser and attempt to access the server (10.1.2.30). Both attempts to should fail.
1. Should a ping from Workstation B to the server (10.1.2.30) be successful? Why?
________________________________________________________________________________
Verify with a ping from Workstation B to the server (10.1.2.30).
2. Should Telnet and HTTP access to the server (10.1.2.30) from Workstation A (10.1.2.10) be
successful? Why?
________________________________________________________________________________
________________________________________________________________________________
Verify by telnetting into the server (10.1.2.30) from Workstation B. Then open a browser in
Workstation B and access the server (10.1.2.30) by way of HTTP.
4-5
CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4
Copyright 2003, Cisco Systems, Inc.
�Intra-VLAN security with Access Control Lists has now been successfully configured.
Refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide and the Catalyst 2950
Desktop Switch Software Configuration Guide for more information about configuring network
security on the Cisco Catalyst WS-C3550 and WS-C2950 switches.
5-5
CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4
Copyright 2003, Cisco Systems, Inc.
