You are on page 1of 5

Lab 2.9.

4 Catalyst 2950 and 3550 Series Intra-VLAN Security

Objective
Configure intra-VLAN security with Access Control Lists (ACLs) using the command-line interface
(CLI) mode.

Scenario
This lab will cover how to configure basic network security on a switch by using Access Control Lists
(ACLs). This will require an enhanced software image to be installed on the switch.
The 3550 switch supports two types of ACL. The first type is IP ACLs. This type filters IP traffic
including, TCP, UDP, IGMP, and ICMP. The second type is Ethernet ACLs that filter non-IP traffic.
The 2950 switch supports only IP ACLs.

1-5

CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4

Copyright  2003, Cisco Systems, Inc.

Packets can enter the VLAN through a switch port.The 3550 switch supports two applications of ACLs to filter traffic. or other configurations present. VLAN ACLs or VLAN maps access-control all packets. router ACLs and VLAN ACLs or VLAN maps.. When a VLAN map is applied to a VLAN. The enhanced image is not required to create or apply VLAN maps. which is based on Layer 3 addresses for IP. VLAN maps can be applied on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN. All packets. With VLAN maps. These SVIs are Layer 3 interfaces to VLANs. VLAN maps can access-control all traffic. Enable VLAN 1 on all switches with the no shutdown interface command. VLAN maps are configured to provide access-control. When done.0 . on physical Layer 3 interfaces.9.3 are used. Unsupported protocols are access-controlled through MAC addresses using Ethernet access control entries (ACEs).9.3. Router ACLs access-control routed traffic between VLANs. Router ACLs can be applied on switch virtual interfaces (SVIs). and on Layer 3 EtherChannel interfaces. VLAN maps can be used to filter traffic between devices in the same VLAN.. IP traffic is not access-controlled by MAC VLAN maps. Unlike router ACLs. They can also enter through a routed port after being routed.4 Copyright  2003. verify connectivity with a ping between switches and between workstations. it is necessary to insure there are no inappropriate VTP. Then reenter the VLAN names as follows: DLSwitchA#vlan database DLSwitchA(vlan)#vtp domain corp Changing VTP domain name from NULL to corp DLSwitchA(vlan)#vtp pruning Pruning switched ON DLSwitchA(vlan)#vlan 10 name Accounting VLAN 10 added: Name: Accounting DLSwitchA(vlan)#vlan 20 name Marketing VLAN 20 added: Name: Marketing DLSwitchA(vlan)#exit APPLY completed. forwarding of packets is either permitted or denied.. Router ACLs are applied on interfaces for specific directions whether inbound or outbound. Disconnect any cables from the switches and power up the switches.Lab 2. Finally.9. On DLSwitchA. all packets that enter the VLAN will be checked against the VLAN map. VLAN maps can be configured to match Layer 3 addresses for IP traffic. This will be based on the action specified in the map.dat). are checked. If different set of switches is used. All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps. VLAN maps can be enforced only on packets going through the switch. VLAN maps are not defined by input or output. Exiting. then continue with Step 2. load the configurations from Lab 2. . those routed or bridged. VLAN maps cannot be enforced on traffic between hosts on a hub or on another switch connected to this switch. Then reload the switches and cable the lab according to the lab diagram. 2-5 CCNP 3: Multilayer Switching v 3. enter the VTP domain name to enable VTP and pruning. The 2950 switch supports only router ACLs. Step 1 If the same switches and setup from Lab 2. VLAN information. Inc. Cisco Systems. The enhanced multilayer switch image is required for this to work. Delete the startup configuration and the VLAN database (vlan. bridged and routed. VLAN maps are used strictly for security packet filtering.

and between the workstations and router..3 using the same switches and setup.. between workstations. the output may appear slightly different. Test the ACL with a ping from Workstation A to the Server (10. no apply attempted.Although it is not absolutely necessary. .2. Cisco Systems. Inc.10 host 10. Exiting.255.2..Lab 2.1. Sample outputs in this lab are based upon the continuation of this lab from Lab 2. ALSwitchA2(vlan)#exit In CLIENT state.255.1.9. Step 3 Issue the following to deny ICMP ping access from Workstation A to the server that has an ACL in DLSwitchA: DLSwitchA#configure terminal DLSwitchA(config)#access-list 101 deny icmp host 10.1.9. ALSwitchA1(vlan)#exit In CLIENT state. However.3 configurations were loaded on these switches. reset ALSwitchA1 and ALSwitchA2 to the VTP client mode by issuing the following commands: ALSwitchA1#vlan database ALSwitchA1(vlan)#vtp client Setting device to VTP CLIENT mode.2.4 Copyright  2003. Verify connectivity with a ping between switches and between workstations.30 echo DLSwitchA(config)#access-list 101 permit ip any any DLSwitchA(config)#interface FastEthernet 0/5 DLSwitchA(config-if)#ip access-group 101 in DLSwitchA(config-if))#^z The ICMP ping traffic from Workstation A to the server should now be blocked. All ping attempts should be successful.0 .9.0 Server(config-if)#no shutdown Server(config-if)#line console 0 Server(config-line)#password cisco Server(config-line)#login Server(config-line)#line vty 0 4 Server(config-line)#password cisco Server(config-line)#login Server(config-line)#^z Verify connectivity with a ping between the Management VLANs of the switches...30 255.30). Step 2 Connect a router to port 5 of the DLSwitchA to simulate a file server and configure as follows: Router#configure terminal Router(config)#hostname Server Server(config)#ip http server Server(config)#interface FastEthernet0/0 Server(config-if)#ip address 10.1. If different switches are used and the Lab 2.. 3-5 CCNP 3: Multilayer Switching v 3.2. The ping should fail. no apply attempted. Exiting. ALSwitchA2#vlan database ALSwitchA2(vlan)#vtp client Setting device to VTP CLIENT mode. it will not impact successful completion of this lab.

2.1.1.2.20) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ Verify with a ping from the Server to Workstation B (10.30). A ping from Workstation A to the server (10.30).30). 1.1. .1.30 eq www DLSwitchA(config)#access-list 101 permit ip any any DLSwitchA(config-if))#^z It is not necessary to reapply the access list to interface FastEthernet 0/5.2.30 eq telnet DLSwitchA(config)#access-list 101 deny tcp host 10.20).1.2.Lab 2. then open a web browser and attempt to access the server (10.2.30) from Workstation A (10.2.2.1. Should a ping from the server to Workstation B (10.2.10) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ Verify with a ping from the server to Workstation A (10.2.2. Inc.2.20) or with a ping from Workstation B (10.1.30) from Workstation B. Both attempts to should fail.10).1.2.10) to Workstation B (10.20 host 10. Attempt to telnet from Workstation B to the server (10.1.20) to Workstation A (10.2.1.1.1.2. Then create another one that will deny Telnet and HTTP access to the server from Workstation B: DLSwitchA#configure terminal DLSwitchA(config)#no access-list 101 DLSwitchA(config)#access-list 101 deny tcp host 10.1. Cisco Systems.1.1.2. Should a ping from Workstation B to the server (10.30) be successful? Why? ________________________________________________________________________________ Verify with a ping from Workstation B to the server (10.1.2. Should a ping from the server to Workstation A (10. 2. Should a ping from Workstation A to Workstation B and another ping back from Workstation B to Workstation A be successful? Why? ________________________________________________________________________________ Verify with a ping from Workstation A (10.0 .2.2.1.20 host 10. Step 4 Issue the following to remove the first access list from the DLSwitchA. Then open a browser in Workstation B and access the server (10.1.1. 3. because the first access list is no longer applicable.30) by way of HTTP.2.4 Copyright  2003.10).2.2.1. Should Telnet and HTTP access to the server (10.10) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ Verify by telnetting into the server (10.1.1.9. Step 5 Test the new ACL. Verify this with a ping.30) should now be successful. 2. 4-5 CCNP 3: Multilayer Switching v 3.

Refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide and the Catalyst 2950 Desktop Switch Software Configuration Guide for more information about configuring network security on the Cisco Catalyst WS-C3550 and WS-C2950 switches. .Intra-VLAN security with Access Control Lists has now been successfully configured. 5-5 CCNP 3: Multilayer Switching v 3. Inc.9. Cisco Systems.Lab 2.4 Copyright  2003.0 .