You are on page 1of 5

Lab 2.9.

4 Catalyst 2950 and 3550 Series Intra-VLAN Security

Objective
Configure intra-VLAN security with Access Control Lists (ACLs) using the command-line interface
(CLI) mode.

Scenario
This lab will cover how to configure basic network security on a switch by using Access Control Lists
(ACLs). This will require an enhanced software image to be installed on the switch.
The 3550 switch supports two types of ACL. The first type is IP ACLs. This type filters IP traffic
including, TCP, UDP, IGMP, and ICMP. The second type is Ethernet ACLs that filter non-IP traffic.
The 2950 switch supports only IP ACLs.

1-5

CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4

Copyright  2003, Cisco Systems, Inc.

These SVIs are Layer 3 interfaces to VLANs. VLAN information.9. VLAN maps can be used to filter traffic between devices in the same VLAN. When done. With VLAN maps. Router ACLs can be applied on switch virtual interfaces (SVIs). Disconnect any cables from the switches and power up the switches. and on Layer 3 EtherChannel interfaces. 2-5 CCNP 3: Multilayer Switching v 3.. then continue with Step 2. which is based on Layer 3 addresses for IP..9. Unlike router ACLs. bridged and routed. Unsupported protocols are access-controlled through MAC addresses using Ethernet access control entries (ACEs). VLAN maps can be enforced only on packets going through the switch. VLAN maps are not defined by input or output. VLAN maps can access-control all traffic. Cisco Systems. VLAN maps are configured to provide access-control. Then reenter the VLAN names as follows: DLSwitchA#vlan database DLSwitchA(vlan)#vtp domain corp Changing VTP domain name from NULL to corp DLSwitchA(vlan)#vtp pruning Pruning switched ON DLSwitchA(vlan)#vlan 10 name Accounting VLAN 10 added: Name: Accounting DLSwitchA(vlan)#vlan 20 name Marketing VLAN 20 added: Name: Marketing DLSwitchA(vlan)#exit APPLY completed. Finally. The 2950 switch supports only router ACLs. load the configurations from Lab 2. Inc. Packets can enter the VLAN through a switch port. On DLSwitchA.9. Exiting. those routed or bridged. They can also enter through a routed port after being routed. Router ACLs access-control routed traffic between VLANs. If different set of switches is used. The enhanced multilayer switch image is required for this to work.. on physical Layer 3 interfaces. are checked.4 Copyright  2003. All packets. This will be based on the action specified in the map.3.3 are used. Then reload the switches and cable the lab according to the lab diagram. VLAN maps can be applied on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN. or other configurations present.dat). VLAN maps cannot be enforced on traffic between hosts on a hub or on another switch connected to this switch. .The 3550 switch supports two applications of ACLs to filter traffic. all packets that enter the VLAN will be checked against the VLAN map. Step 1 If the same switches and setup from Lab 2. When a VLAN map is applied to a VLAN. verify connectivity with a ping between switches and between workstations. enter the VTP domain name to enable VTP and pruning. forwarding of packets is either permitted or denied. All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps. IP traffic is not access-controlled by MAC VLAN maps. Delete the startup configuration and the VLAN database (vlan.Lab 2. router ACLs and VLAN ACLs or VLAN maps. VLAN ACLs or VLAN maps access-control all packets. Router ACLs are applied on interfaces for specific directions whether inbound or outbound. VLAN maps can be configured to match Layer 3 addresses for IP traffic. VLAN maps are used strictly for security packet filtering.0 . The enhanced image is not required to create or apply VLAN maps. it is necessary to insure there are no inappropriate VTP. Enable VLAN 1 on all switches with the no shutdown interface command.

30 255. . between workstations. Step 3 Issue the following to deny ICMP ping access from Workstation A to the server that has an ACL in DLSwitchA: DLSwitchA#configure terminal DLSwitchA(config)#access-list 101 deny icmp host 10.10 host 10. reset ALSwitchA1 and ALSwitchA2 to the VTP client mode by issuing the following commands: ALSwitchA1#vlan database ALSwitchA1(vlan)#vtp client Setting device to VTP CLIENT mode.2. Inc.1.. ALSwitchA1(vlan)#exit In CLIENT state.. no apply attempted.1.9.. and between the workstations and router. Exiting. All ping attempts should be successful. no apply attempted.255.255.Although it is not absolutely necessary.1.4 Copyright  2003.0 ..Lab 2. Test the ACL with a ping from Workstation A to the Server (10.2.9.30 echo DLSwitchA(config)#access-list 101 permit ip any any DLSwitchA(config)#interface FastEthernet 0/5 DLSwitchA(config-if)#ip access-group 101 in DLSwitchA(config-if))#^z The ICMP ping traffic from Workstation A to the server should now be blocked. The ping should fail. Exiting. If different switches are used and the Lab 2. Verify connectivity with a ping between switches and between workstations.2. 3-5 CCNP 3: Multilayer Switching v 3.3 using the same switches and setup..9.2.3 configurations were loaded on these switches.0 Server(config-if)#no shutdown Server(config-if)#line console 0 Server(config-line)#password cisco Server(config-line)#login Server(config-line)#line vty 0 4 Server(config-line)#password cisco Server(config-line)#login Server(config-line)#^z Verify connectivity with a ping between the Management VLANs of the switches. it will not impact successful completion of this lab.. Sample outputs in this lab are based upon the continuation of this lab from Lab 2. Cisco Systems. the output may appear slightly different.1. ALSwitchA2(vlan)#exit In CLIENT state. Step 2 Connect a router to port 5 of the DLSwitchA to simulate a file server and configure as follows: Router#configure terminal Router(config)#hostname Server Server(config)#ip http server Server(config)#interface FastEthernet0/0 Server(config-if)#ip address 10.30). However. ALSwitchA2#vlan database ALSwitchA2(vlan)#vtp client Setting device to VTP CLIENT mode.

20) or with a ping from Workstation B (10. Then create another one that will deny Telnet and HTTP access to the server from Workstation B: DLSwitchA#configure terminal DLSwitchA(config)#no access-list 101 DLSwitchA(config)#access-list 101 deny tcp host 10. 3.2.1.2.30) from Workstation B.2. Cisco Systems.2.2. then open a web browser and attempt to access the server (10.30) from Workstation A (10.1.30) by way of HTTP.20).1.1. Should a ping from the server to Workstation B (10.30 eq telnet DLSwitchA(config)#access-list 101 deny tcp host 10.2. because the first access list is no longer applicable.20 host 10. Should a ping from the server to Workstation A (10.2.1. Attempt to telnet from Workstation B to the server (10. Should a ping from Workstation A to Workstation B and another ping back from Workstation B to Workstation A be successful? Why? ________________________________________________________________________________ Verify with a ping from Workstation A (10.10) to Workstation B (10.30).30). Step 4 Issue the following to remove the first access list from the DLSwitchA. 1.30) should now be successful.1.1.Lab 2.10).2.1.10) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ Verify with a ping from the server to Workstation A (10.20 host 10.2.0 .9.1. Inc.1.2.2.20) to Workstation A (10. 2. 4-5 CCNP 3: Multilayer Switching v 3.1.10).2.1.2.1.1.30).2.2.30 eq www DLSwitchA(config)#access-list 101 permit ip any any DLSwitchA(config-if))#^z It is not necessary to reapply the access list to interface FastEthernet 0/5. Should a ping from Workstation B to the server (10. Verify this with a ping.1. Step 5 Test the new ACL.1.10) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ Verify by telnetting into the server (10.20) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ Verify with a ping from the Server to Workstation B (10. Should Telnet and HTTP access to the server (10. A ping from Workstation A to the server (10. .1.2.1.1.2.2. 2.4 Copyright  2003.30) be successful? Why? ________________________________________________________________________________ Verify with a ping from Workstation B to the server (10. Then open a browser in Workstation B and access the server (10. Both attempts to should fail.1.2.1.2.1.2.

. Refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide and the Catalyst 2950 Desktop Switch Software Configuration Guide for more information about configuring network security on the Cisco Catalyst WS-C3550 and WS-C2950 switches.4 Copyright  2003.Lab 2.0 .9.Intra-VLAN security with Access Control Lists has now been successfully configured. 5-5 CCNP 3: Multilayer Switching v 3. Inc. Cisco Systems.