Monday, January 30, 2017

Implementing VLAN ACLs in a Cisco Systems Switch

How many times have we needed to protect a given host from its neighbors of the same Broadcast Domain (VLAN)? As is widely known this kind of practice is often performed by implementing local Firewalls on Workstation and Servers. For example, Linux has IPTables, Windows since the release XP includes Windows Firewall and Apple OS-X has a Firewall service as well. Also, the requirement can be performed by third party vendors such as Symantec, F-Secure and so on.

The coming example wants to demonstrate how a Cisco Systems Switch is able to perform this goal by implementing VLAN ACLs (VACL). Please keep in mind there is not any routing process involved, even more, the switch has not IP routing enabled.

The given topology has not anything specialized, only three computers connected to a switch. One of those computers runs Linux, other runs Windows and the other one runs OS-X. The Switch is a Cisco Systems Catalyst 3560, which runs IOS c3560-ipservicesk9-mz.122-55.SE11.bin. In addition, the Switch has almost its default configuration, I only added VLAN11 and some more commands, nothing special. The initial configuration is shared below.

Each computer has a static IP address assigned: - - > Windows computers - - > Linux box - - > Apple computer

By the way, the switch has not a IP address assigned, because it is not required.

The Windows computer has Windows Firewall disabled, and the service of File and Printer Sharing (SMB) enabled.

The Linux box is publishing three folders by running python -m SimpleHTTPServer TCP-PORT. The web publishing service is assigning an unique TCP port to each folder, from 10001 to 10003.

The OS-X computer manages the switch through a serial port, sends some pings to Windows ( and the Linux box (, displays the content of each web folder (Text01, Text02...) and connects to the Windows computer through SMB. Everything happens as expected, everything is normal, nothing fancy.

The interesting thing starts once the VACL commands are introduced to the switch. As you can noticed in the video below, the Windows computer continues working normally. That is to say, Windows continues answering PING and sharing folders.

The lab has been focused on the Linux box. So, after introducing the VACLs commands in the switch, the Linux box stopped answering PING, also the administrator has decided to disable the TCP port 10003 to be reachable by the hosts in the same VLAN.

Let's watch a video to get a visual idea, step by step of the described topology.

The commands used by the VLAN ACL are shared below:

In addition to the first example, I would like to share one more example.

The next example consists of only two computers connected to a Cisco Systems switch. The switch has its configuration almost by default, only the switch ports have been modified as access ports. So, everything is running in VLAN1.

Each computer has two IP address statically assigned: and - - > Apple computer and - - > Linux box
As the coming video shows, each computer can PING request and reply without any problem. But, as soon the VACL commands are deployed in the Switch, the normal development changes, and the addresses corresponding to the network are sudenly stopped.

The commands used by the VLAN ACL are shared below:


Deploying VACLs could be considered an important security feature for our networks. Also, in this manner, an administrator can avoid applying features locally in servers and workstations, instead running this features in specialized equipment for saving performance to the host and getting a more granular control.