Quickly improve your VLAN security with VACL’s

VLANS (Virtual Local Area Network) are used to segment traffic on a switched network. This has a range of benefits.

  • Added security for devices on different VLANs as they can’t be discovered (using multicast traffic) they can only be accessed directly if the client knows the destination device’s IP address
  • Isolated broadcast domains each with their own subnet and addressing scheme
  • Control over resources available of particular ports and who connects to them

The negatives are that for any VLAN that is tagged on a port, users can send traffic from the VLAN that they’re assigned to another VLAN if they know the IP address.

Our setup is similar to below, where each physical interface is configured to act as a trunk port. VLAN’s are added to each port. In this scenario traffic from one VLAN can cross to another VLAN allowing any device to access another device on a different VLAN.

Each physical port on the switch is enabled to allow traffic from VLAN 100, 200 and 300 to communicate between VLANS.

Blocking access between VLAN’s

But what if we don’t want one VLAN to access another VLAN? VACLs (Virtual Access Control Lists) are an effective way to control groups. How this is setup and applied is different depending on your switch vendor, however the concept is generally the same.

Example configuration

For this example, we are using a DLink DGS 6600 Chassis-Based switch. 
The command “ip access-list NAME” will create a list, then we can enter some rules.

For this example we have the following:

  • We have VLAN 100 (Admin VLAN) with IP range: 192.168.100.0/24
  • We have VLAN 200 (Desktop VLAN) with IP range: 192.168.200.0/24
  • We have VLAN 300 (Printer VLAN) with IP range: 192.168.300.0/24
  • We want to DENY any traffic going from Desktop VLAN (200) to Server VLAN (100), and allow Printer VLAN (300) traffic to access VLAN Admin (100) and Desktop (200).
  • We want to apply this rule for any traffic going OUT of the VLAN then INBOUND to the interface.

DGS-6600:2>enable

DGS-6600:15#configure terminal

DGS-6600:15(config)#ip access-list deny_vlan

The maximum available of IP access-list is 255

DGS-6600:15(config-ip-acl)#deny 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

DGS-6600:15(config-ip-acl)#permit 192.168.300.0 255.255.255.0 192.168.100.0 255.255.255.0

DGS-6600:15(config-ip-acl)#permit 192.168.300.0 255.255.255.0 192.168.200.0 255.255.255.0

DGS-6600:15(config-ip-acl)#end

DGS-6600:15#configure terminal

DGS-6600:15(config)#interface eth24

DGS-6600:15(config-if)#ip access-group deny_vlan in

The maximum available entry of IP ACL bind to interface in ingress direction is:

1278

The maximum available port operator (gt/lt) is:16

DGS-6600:15(config-if)#end

It’s important to note that there is a inferred (hidden) deny all rule at the end of the ip-access list. To allow all traffic, add the commend “permit any any” which permits any source to any destination address.

What have we done here?

We have denied the source address range 192.168.200.0/24 from accessing the destination address range 192.168.100.0/24. Then, we have permitted 192.168.300.0/24 to access VLAN 100 and 200 IP ranges.