= Cisco VLAN Access Lists =

**Summary**: This post gives a basic view on how to configure access lists on VLANs on Cisco switches. \\
**Date**: Around 2017 \\
**Refactor**: 20 February 2025: Checked links and formatting. \\
{{tag>cisco}}

This post gives a basic view on how to configure access lists on VLANs on Cisco switches and is created with [[nimnetwork]] in mind, the ports are defined as for this purpose.

= How to create a vlan =
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
<code>
Vlan database
Vlan <vlan#> name <vlanname>
Exit
</code>

= Adding IP Address to The Vlan =
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
<code>
Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip address x.x.x.x  x.x.x.x
No shutdown (activates the vlan)
Exit
</code>

== Vlan Check ==
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
<code>
show vlan
</code>
or
<code>
Show ip interface brief
</code>
Also, you can issue
<code>
show run
</code>
Or, when you're configuration levels lower:
<code>
do show run
</code>

= Adding Acces-List To a Vlan =
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
<code>
Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip access-group <access-list#> in
Ip access-group <access-list#> out
ip helper-address <ipaddressbootp/dhcpserver>
</code>

**NOTE**
> in
>> This defines access control on packets transmitted from the host. These packets are received into the router interface.
> out
>> This defines access control on packets being sent to the host. These packets are transmitted out of the router interface. The default is out.

= Adding The Access-List to The Switch =
Log into the vlan database switch (core switch) with level 15 access and issue these commands:
<code>
Conf t (Configuration Terminal)
Enter the access-list (from your favorite text editor)
</code>

== Access Lists Check ==

<code>
show access-lists
show access-lists | include Extended
</code>

= Access List Example NIM =
* NIM Server: 10.10.3.7
* NIM Client: 10.11.1.2 (VLAN 29)
* DNS Server: 10.10.10.100

<code>
vlan database
vlan 29 name nimnetworkvlan
exit
conf t
interface vlan 29
ip address 10.11.1.1 255.255.0.0
no shutdown
ip access-group 128 in
ip access-group 129 out
ip helper-address 10.10.3.7
exit
access-list 128 permit icmp any any
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.3.7
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1058
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1059
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 2049
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3901
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3902
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 32774
access-list 128 permit tcp any any established
access-list 128 deny ip any any
access-list 129 permit icmp any any
access-list 129 permit udp host 10.10.10.100 host 10.11.1.2
access-list 129 permit udp host 10.10.10.101 host 10.11.1.2
access-list 129 permit ip host 10.1.3.7 host 10.11.1.2
access-list 129 permit tcp any any established
access-list 129 deny ip any any
</code>

=== Access List Block ===
We got these errors so that's why we opened udp:
<code>
list 128 denied udp 10.11.1.2(16799) -> 10.10.3.7(52186), 5 packets
list 128 denied udp 10.11.1.2(24412) -> 10.10.3.7(52187), 5 packets
list 128 denied udp 10.11.1.2(32024) -> 10.10.3.7(52188), 5 packets
list 128 denied tcp 10.11.1.2(32024) -> 10.10.3.7(32774), 5 packets
</code>

=== Logging ===
In order to find what packets are blocked change the deny line like this:
<code>
access-list 128 deny ip any any log
access-list 129 deny ip any any log
</code>
and issue this command on the switch console:
<code>
term mon
</code>

= Remove created VLAN =

<code>
switch#vlan database
% Warning: It is recommended to configure VLAN from config mode,
  as VLAN database mode is being deprecated. Please consult user
  documentation for configuring VTP/VLAN in config mode.

switch(vlan)#
switch(vlan)#no vlan 216
Deleting VLAN 216...
switch(vlan)#exit
APPLY completed.
Exiting....
</code>