Lab 2.9.

4 Catalyst 2950 and 3550 Series Intra-VLAN Security

Objective
Configure intra-VLAN security with Access Control Lists (ACLs) using the command-line interface
(CLI) mode.

Scenario
This lab will cover how to configure basic network security on a switch by using Access Control Lists
(ACLs). This will require an enhanced software image to be installed on the switch.
The 3550 switch supports two types of ACL. The first type is IP ACLs. This type filters IP traffic
including, TCP, UDP, IGMP, and ICMP. The second type is Ethernet ACLs that filter non-IP traffic.
The 2950 switch supports only IP ACLs.

1-5

CCNP 3: Multilayer Switching v 3.0 - Lab 2.9.4

Copyright  2003, Cisco Systems, Inc.

then continue with Step 2. Router ACLs access-control routed traffic between VLANs. VLAN maps are used strictly for security packet filtering. 2-5 CCNP 3: Multilayer Switching v 3. which is based on Layer 3 addresses for IP.. VLAN maps cannot be enforced on traffic between hosts on a hub or on another switch connected to this switch. Packets can enter the VLAN through a switch port. All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps. forwarding of packets is either permitted or denied. These SVIs are Layer 3 interfaces to VLANs. The enhanced multilayer switch image is required for this to work. or other configurations present. On DLSwitchA. VLAN maps are configured to provide access-control. Delete the startup configuration and the VLAN database (vlan.0 . VLAN maps are not defined by input or output. Enable VLAN 1 on all switches with the no shutdown interface command.dat). enter the VTP domain name to enable VTP and pruning. all packets that enter the VLAN will be checked against the VLAN map. Step 1 If the same switches and setup from Lab 2. it is necessary to insure there are no inappropriate VTP. Then reload the switches and cable the lab according to the lab diagram. . VLAN maps can be enforced only on packets going through the switch. on physical Layer 3 interfaces. Disconnect any cables from the switches and power up the switches. IP traffic is not access-controlled by MAC VLAN maps. VLAN information. load the configurations from Lab 2.4 Copyright  2003. The enhanced image is not required to create or apply VLAN maps. VLAN ACLs or VLAN maps access-control all packets. router ACLs and VLAN ACLs or VLAN maps. VLAN maps can be applied on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN.. This will be based on the action specified in the map. All packets. and on Layer 3 EtherChannel interfaces.3 are used.9. Finally. Cisco Systems. verify connectivity with a ping between switches and between workstations.Lab 2.The 3550 switch supports two applications of ACLs to filter traffic. those routed or bridged. Unlike router ACLs. When a VLAN map is applied to a VLAN. Inc. VLAN maps can be used to filter traffic between devices in the same VLAN. VLAN maps can access-control all traffic. Then reenter the VLAN names as follows: DLSwitchA#vlan database DLSwitchA(vlan)#vtp domain corp Changing VTP domain name from NULL to corp DLSwitchA(vlan)#vtp pruning Pruning switched ON DLSwitchA(vlan)#vlan 10 name Accounting VLAN 10 added: Name: Accounting DLSwitchA(vlan)#vlan 20 name Marketing VLAN 20 added: Name: Marketing DLSwitchA(vlan)#exit APPLY completed. The 2950 switch supports only router ACLs. With VLAN maps.9.9. Unsupported protocols are access-controlled through MAC addresses using Ethernet access control entries (ACEs). are checked.. When done. VLAN maps can be configured to match Layer 3 addresses for IP traffic. Exiting. Router ACLs are applied on interfaces for specific directions whether inbound or outbound. bridged and routed. If different set of switches is used. Router ACLs can be applied on switch virtual interfaces (SVIs). They can also enter through a routed port after being routed.3.

30 255. Cisco Systems. Test the ACL with a ping from Workstation A to the Server (10. Verify connectivity with a ping between switches and between workstations.4 Copyright  2003.1. between workstations. Step 3 Issue the following to deny ICMP ping access from Workstation A to the server that has an ACL in DLSwitchA: DLSwitchA#configure terminal DLSwitchA(config)#access-list 101 deny icmp host 10.. However. ALSwitchA1(vlan)#exit In CLIENT state. reset ALSwitchA1 and ALSwitchA2 to the VTP client mode by issuing the following commands: ALSwitchA1#vlan database ALSwitchA1(vlan)#vtp client Setting device to VTP CLIENT mode.1. no apply attempted.Lab 2. ALSwitchA2(vlan)#exit In CLIENT state.2.2. Exiting..10 host 10.1.255. no apply attempted.30). .. 3-5 CCNP 3: Multilayer Switching v 3. If different switches are used and the Lab 2.1. ALSwitchA2#vlan database ALSwitchA2(vlan)#vtp client Setting device to VTP CLIENT mode..3 using the same switches and setup. it will not impact successful completion of this lab.9.2.9.Although it is not absolutely necessary. Exiting.9.3 configurations were loaded on these switches.. Inc. Step 2 Connect a router to port 5 of the DLSwitchA to simulate a file server and configure as follows: Router#configure terminal Router(config)#hostname Server Server(config)#ip http server Server(config)#interface FastEthernet0/0 Server(config-if)#ip address 10. Sample outputs in this lab are based upon the continuation of this lab from Lab 2.30 echo DLSwitchA(config)#access-list 101 permit ip any any DLSwitchA(config)#interface FastEthernet 0/5 DLSwitchA(config-if)#ip access-group 101 in DLSwitchA(config-if))#^z The ICMP ping traffic from Workstation A to the server should now be blocked. and between the workstations and router.255..0 Server(config-if)#no shutdown Server(config-if)#line console 0 Server(config-line)#password cisco Server(config-line)#login Server(config-line)#line vty 0 4 Server(config-line)#password cisco Server(config-line)#login Server(config-line)#^z Verify connectivity with a ping between the Management VLANs of the switches. All ping attempts should be successful. the output may appear slightly different.2. The ping should fail.0 .

1.1.30) should now be successful. 2. Should a ping from the server to Workstation B (10. Should Telnet and HTTP access to the server (10. Then open a browser in Workstation B and access the server (10.10).30 eq telnet DLSwitchA(config)#access-list 101 deny tcp host 10.30) by way of HTTP.1.4 Copyright  2003.2.0 .2. Verify this with a ping.1.30) from Workstation A (10.20).2.30).1.2.2.2.1. Both attempts to should fail.1. 2.30).9. Should a ping from Workstation A to Workstation B and another ping back from Workstation B to Workstation A be successful? Why? ________________________________________________________________________________ Verify with a ping from Workstation A (10.2. Attempt to telnet from Workstation B to the server (10. Cisco Systems.2.2.30 eq www DLSwitchA(config)#access-list 101 permit ip any any DLSwitchA(config-if))#^z It is not necessary to reapply the access list to interface FastEthernet 0/5.30).2.1.2.1.1.1. Step 5 Test the new ACL.1.20) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ Verify with a ping from the Server to Workstation B (10. then open a web browser and attempt to access the server (10. Should a ping from Workstation B to the server (10. 4-5 CCNP 3: Multilayer Switching v 3.2.10) to Workstation B (10.20 host 10.2.1.1. because the first access list is no longer applicable. Inc.30) be successful? Why? ________________________________________________________________________________ Verify with a ping from Workstation B to the server (10.20) or with a ping from Workstation B (10. Should a ping from the server to Workstation A (10.20 host 10.1. Step 4 Issue the following to remove the first access list from the DLSwitchA.2.10) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ Verify by telnetting into the server (10.1. 1. Then create another one that will deny Telnet and HTTP access to the server from Workstation B: DLSwitchA#configure terminal DLSwitchA(config)#no access-list 101 DLSwitchA(config)#access-list 101 deny tcp host 10.10) be successful? Why? ________________________________________________________________________________ ________________________________________________________________________________ Verify with a ping from the server to Workstation A (10.2. A ping from Workstation A to the server (10. 3.1.2.1.10).30) from Workstation B. .1.2.1.2.Lab 2.1.2.1.20) to Workstation A (10.2.2.

Refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide and the Catalyst 2950 Desktop Switch Software Configuration Guide for more information about configuring network security on the Cisco Catalyst WS-C3550 and WS-C2950 switches.Intra-VLAN security with Access Control Lists has now been successfully configured. Cisco Systems.0 . .Lab 2. Inc. 5-5 CCNP 3: Multilayer Switching v 3.9.4 Copyright  2003.