Saturday, August 23, 2008

VACL, VLAN Maps & MAC ACL

A while back, more specific in July/14 we talked briefly about VACLs. That was when I took the IPExpert Volume 1 - Section 2: Quad Catalyst (PVST+) Switch Configuration. It´s not a very difficult task to be achieved, but TRICKY!

A friend from India (yeah Vipul, it´s you buddy!) asked me some things about it. So I´ll just elaborate it a while more. Also, at IPExpert CCIE R&S BLS you´ll find more info regarding that in the Security Section. It´s really well explained there! I would take sometime and review it with attention. The first time I watched it, I was like moving back and forward all the time to take notes, and to really stick the info in my head!

So,  starting with the basics... In a L2/L3 switch (like the ones in the CCIE Lab), where we can implement security?! Well, we can do it at the:

  1. Port Level - We can implement an Access-List in a particular port, and that will affect the traffic coming and going out of it (normally, it´ll affect only one host traffic). But imagine to implement that solution in many ports, over several equipment. Not very nice, right?!
  2. SVI - We can also implement an Access-List at the SVI Port! It´ll work everytime your switch is routing traffic between this particular VLAN and some other! Essentially, it´ll filter the traffic passing through the SVI.

Ok! So... Port-Level filters only that particular port.... SVI the routed traffic... and how about the INTRA-VLAN Traffic?! None of them will filter that!

VLAN Access-Lists (or VACL) works exactly there! At the Intra-VLAN Traffic! So everytime you need to filter internal traffic for a particular VLAN, VACL is your choice!

Just a couple more things to have in mind before getting into an example.

  1. IP Packets can only be processed by IP Access-Lists;
  2. Non-IP Packets like ARP, MAC-Addresses, and others can only be processed by MAC Access-Lists.

The MAC Access-Lists will bring all the interesting issues to the table... just check it out!

Let´s suppose for example you have two computers one with MAC Address 000b.dc24.ca47 and the second with the MAC Address 000b.dc25.cb51, both connected to VLAN7, and you want to allow all "non-IP" frames sourced from those two MAC Addresses to be forward anywhere, and also allowing only ICMP for example, denying everything else!

So, we have two different requirements there...

  1. Forward all "non-IP" frames sourced from those two specific MAC Addresses; That requires a MAC Access-List.
  2. Permit only ICMP, denying everyting else. That requires an IP Access-List (the one we´re all used to).

Ok, so let´s create our MAC Access-List:

mac access-list extended AllowThose
permit 000b.dc24.ca47 any
permit 000b.dc25.cb51 any

That will handle the first requirement.

Now the second one IP Access-List allowing ICMP and denying everything else:

access-list 101 permit icmp any any

Ok! Now, we need to create the VACL (or VLAN Maps, which one you preffer to call it) applying those rules:

vlan access-map Filter-VL7 10
action forward
match mac address AllowThose
!
vlan access-map Filter-VL7 20
action forward
match ip address 101
!
vlan access-map Filter-VL7 30
action drop

Now it looks ok, right?! Time to apply it to VLAN7 ?! What do you think about?! Let´s try?!

vlan filter Filter-VL7 vlan-list 7

Now testing! See if you can ping! Not working?! Hmmm... interesting... but why?! Well... I told... The MAC Access-List would bring all the interesting issues to the table! And, in fact,  it did! It´s allowing only those two MAC Address and nothing else! How about ARP?! Do we need it to make things work?! Of course we do! And that´s where we have most confusion! Just keep in mind, the end of an Access-List is always deny any any! So if there are no matching instances for ARP in the MAC Access-List, it´ll be dropped!

How to fix it?! Simple, allow it in the MAC Access-List:

permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000

But wait a minute! What´s that 0x0806 and lsap 0xAAAA ?! That´s the Ethertypes we´re allowing in our MAC Access-List, first one (0x806) is ARP, and the second one (lsap 0xAAAA) is PVST+. You do not want your switch running unprotected from loops right?! So it´s better to allow it!

For the sake of simplicity, the full configuration would be this one:

mac access-list extended AllowThose
permit 000b.dc24.ca47 any
permit 000b.dc25.cb51 any
permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000
!
access-list 101 permit icmp any any
!
vlan access-map Filter-VL7 10
action forward
match mac address AllowThose
!
vlan access-map Filter-VL7 20
action forward
match ip address 101
!
vlan access-map Filter-VL7 30
action drop
!
vlan filter Filter-VL7 vlan-list 7

The most common Ethertypes are: (and probably the ones asked in the LAB)

  • 0x0806 = ARP
  • lsap 0xAAAA = PVST+
  • 0x4242 = STP and PVST
  • 0x86DD = IPv6

Again... we need to understand all the little pieces involved in a particular task, and remember about the basics, OSI Model, ARP, and so on! It´s not difficult, but it´s a little confusing at the first time! Just go ahead, drink some watter (I did it several times) come back again, read over, and try some scenarios yourself, don´t have equipment?! Try it on Notepad, just try some, compare with the example, and you´ll see how easy it can be! The best way to learn is trying it yourself! ;)

You can also find a nice explanation about that in the wonderful Arden  Packeer´s Blog, just click here and it´ll direct you to the post.

3 comments:

JP said...

your lab is incorrect!!

the mac access-list you used does match arp traffic...
Ive just labbed it up and
both hosts and the svi interface that the filter is applied to can arp
after clearing all caches.

mac access-list extended AllowThose
permit xxxx.xxxx.xxxx any
permit xxxx.xxxx.xxxx any

Caue said...

Hi JP! How are you?!

Really?! Without the comands:

permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000

in the MAC Access List ?!

I´ve did it a while back and without those commands no ARP traffic was going through it...

What you´re using to test this topology, I mean, which type of switch (3550, 3560, etc) ?!

I was using a 3560 one... I´ll try again this weekend and see what happens...

Also... the output showed here matches the one in ProctorGuide (at the time written by no one less than mr. Scott Morris) :)

Anyway! Let´s test and see! I let you know!

Thanks!

JC said...

Hey.
Any luck with your labbing?
Im pretty sure.I used a 3550 for this.
My mac acl had 2 entries in the format
permit xxxx.xxxx.xxxx any
permit xxxx.xxxx.xxxx any

All i wanted from the vacl is to allow hosts with certain mac addresses to be able to communicate in a vlan.

vlan access-map X
match mac address X
action forward

Thats the only config i needed. The implicit deny any at the end of the mac acl will drop all other L2 traffic you dont specify like STP. ARP is included in the mac-acl entries because of the any statement.