Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VLAN security - ACLs?

Status
Not open for further replies.

molecul3

Technical User
Apr 17, 2003
182
HK
Hi everyone,

I am trying to configure the following..
set up an "unused" VLAN e.g. VLAN 333 and set all inactive ports to access that VLAN. I want to be able to log an event to generate an alert whenever someone plugs into that port and accesses VLAN 333. I have tried:

access-lists 112 permit ip any any log

and applied the 112 access-group onto that VLAN 333 but it does not seem to generate any alerts/logs. Is that the way to do it?
 
helpdeskdan is right, portsecurity is a bit more what you're looking for. the access-list you've set up doesn't hit because all the traffic is being switched and not routed (thus never requiring an access-list check).
 
But with port security it only shuts down the port in realtion to MAC addresses or you have a limit to them per port. And ACL is more powerful and if you are using a layer 3 switch the vlan interface is similar to a real fast ethernet on a router.

There are other ways to log an acl. Debug with a syslogger is very good as it record the port the packets came in on almost like a packet sniffer.

Can you post the config of the acl the vlan and an interface you are using it on. Is Vlan333 the native vlan or is it a L3 vlan. Also what type of switch and IOS are you using?
 
This is not the only use of port security. If believe one can set a secure mac address and, if any other mac address tries to connect, it will disable the port.

A syslogger is a good idea. One could also just use a syslogger to record informational messages. However, you might have to sift through all the information.

Why would a native vlan not be routed in layer 3?
 
thanks for the replies guys,

yes, as helpdeskdan mentioned, i have set a secure mac address and disable the port whenever any machine tries to connect. this works fine and is probably how i was planning on doing it in the first place.

of course, more options and more opinions helps the learning process :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top