Security Configuration Guide, Cisco DCNM for LAN, Release 6.x
Configuring VLAN ACLs
Downloads: This chapterpdf (PDF - 423.0KB) The complete bookPDF (PDF - 4.66MB) | The complete bookePub (ePub - 1.6MB) | Feedback

Configuring VLAN ACLs

Configuring VLAN ACLs

This chapter describes how to configure VLAN access lists (ACLs) on Cisco NX-OS devices.


Note


The Cisco NX-OS release that is running on a managed device may not support all the features or settings described in this chapter. For the latest feature information and caveats, see the documentation and release notes for your platform and software release.


This chapter includes the following sections:

Information About VLAN ACLs

A VLAN ACL (VACL) is one application of an IP ACL or a MAC ACL. You can configure VACLs to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction (ingress or egress).

VLAN Access Maps and Entries

VACLs use access maps to contain an ordered list of one or more map entries. Each map entry associates IP ACLs to an action. Each entry has a sequence number, which allows you to control the precedence of entries.

When the device applies a VACL to a packet, it applies the action that is configured in the first access map entry that contains an ACL that permits the packet.

VACLs and Actions

In each VLAN access map entry, you can specify one of the following actions:

Forward

Sends the traffic to the destination determined by the normal operation of the switch.

Redirect

Redirects the traffic to one or more specified interfaces.

Drop

Drops the traffic. If you specify drop as the action, you can also specify that the device logs the dropped packets.

VACL Statistics

The device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.


Note


The device does not support interface-level VACL statistics.


For each VLAN access map that you configure, you can specify whether the device maintains statistics for that VACL. This feature allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.

Licensing Requirements for VACLs

This table shows the licensing requirements for this feature.

Product

License Requirement

Cisco DCNM

VACLs require no license. Any feature not included in a license package is bundled with the Cisco DCNM and is provided at no charge to you. For an explanation of the Cisco DCNM licensing scheme, see the Cisco DCNM Installation and Licensing Guide, Release 5.x.

Cisco NX-OS

VACLs require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme for your platform, see the licensing guide for your platform.

Platform Support for VACLs

The following platforms support this feature but may implement it differently. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation
Cisco Nexus 1000V Series Switches Cisco Nexus 1000V Series Switches Documentation
Cisco Nexus 3000 Series Switches Cisco Nexus 3000 Series Switches Documentation
Cisco Nexus 4000 Series Switches Cisco Nexus 4000 Series Switches Documentation
Cisco Nexus 5000 Series Switches Cisco Nexus 5000 Series Switches Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation

Configuring VACLs

Adding a VACL

You can create a VACL. Creating a VACL includes creating at least one VLAN access map entry that associates an IP or MAC ACL with an action to be applied to the matching traffic.

Procedure
    Step 1   From the Feature Selector pane, choose Security > Access Control > VLAN ACL.

    The Summary pane displays available devices.

    Step 2   From the Summary pane, double-click the device to which you want to add a VACL.
    Step 3   From the menu bar, choose File > New > VLAN Access Map.

    Below the device that you selected, a new row appears in the Summary pane.

    Step 4   In the new row, enter a name for the VACL.

    The VACL remains selected in the Summary pane.

    Step 5   For each VLAN access map entry that you want to create, follow these steps:
    1. From the menu bar, choose File > New > VLAN Access Map.

      Below the VACL, a new row appears in the Summary pane.

    2. From the Details pane, click the Details tab and expand the Match Condition And Action section, if necessary.
    3. From the Match ACL Type drop-down list, select the type of ACL that you want to use in the VACL. You can choose IPv4 ACL, IPv6 ACL, or MAC ACL.

      The ACLs drop-down list contains ACLs that are the type you selected and that exist on the currently selected device.

    4. From the ACLs drop-down list, select the ACL that you want to use.
    5. From the Action drop-down list, select the action that the device should take on traffic matching the VACL.
    Step 6   From the menu bar, choose File > Save to apply your changes to the device.

    Changing a VACL

    You can change a VACL.

    Procedure
      Step 1   From the Feature Selector pane, choose Security > Access Control > VLAN ACL.

      The Summary pane displays available devices.

      Step 2   From the Summary pane, double-click the device that contains the VACL that you want to change and then click the VACL.
      Step 3   (Optional)To add a VLAN access map entry, from the menu bar, choose File > New > VLAN Access Map Entry.

      Below the VACL, the new VLAN access map entry appears in the Summary pane.

      Step 4   (Optional) To change a new or existing VLAN access map entry, follow these steps:
      1. Click the VLAN access map entry that you want to change.
      2. From the Details pane, click the Details tab and expand the Match Condition And Action section, if necessary.
      3. From the Match ACL Type drop-down list, select the type of ACL that you want to use in the VACL. You can choose IPv4 ACL, IPv6 ACL, or MAC ACL.

        The ACLs drop-down list contains ACLs that are the type you selected and that exist on the currently selected device.

      4. From the ACLs drop-down list, select the ACL that you want to use.
      5. From the Action drop-down list, select the action that the device should take upon traffic matching the VACL.
      Step 5   (Optional) If you want to move a VLAN access map entry to a different position in the VACL, click the entry in the Summary pane and then from the menu bar, choose one of the following, as applicable:
      • Actions > Move Up
      • Actions > Move Down

      The entry swaps places and sequence numbers with the entry above it or below it, as you chose.

      Step 6   To remove a VLAN access map entry, click the VLAN access map entry and then choose Actions > Delete.
      Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

      Removing a VACL or VLAN Access-Map Entry

      You can remove a VACL, which means that you will delete the VLAN access map.

      You can also remove a single VLAN access-map entry from a VACL.

      Before You Begin

      Ensure that you know whether the VACL is applied to a VLAN. The allows you to remove VACLs that are currently applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the considers the removed VACL to be empty.

      Procedure
        Step 1   From the Feature Selector pane, choose Security > Access Control > VLAN ACL.

        Available devices appear in the Summary pane.

        Step 2   From the Summary pane, double-click the from which you want to remove a VACL.

        The VACLs on the appear in the Summary pane.

        Step 3   (Optional)If you want to delete a VACL, follow these steps:
        1. Click the VACL that you want to remove.
        2. From the menu bar, choose Actions > Delete.

          The VACL disappears from the Summary pane.

        Step 4   (Optional)If you want to delete a VLAN access map entry, follow these steps:
        1. Double-click the VACL that contains the entry that you want to delete.

          The VLAN access-map entries list below the VACL.

        2. Click the VLAN access map entry that you want to delete.
        3. From the menu bar, choose Actions > Delete.

          The VLAN access map entry disappears from the Summary pane.

        Step 5   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

        Applying a VACL to a VLAN

        You can apply a VACL to a VLAN.

        Before You Begin

        If you are applying a VACL, ensure that the VACL exists and is configured to filter traffic in the manner that you need for this application.

        Procedure
          Step 1   From the Feature Selector pane, choose Switching > VLAN.

          Available devices appear in the Summary pane.

          Step 2   From the Summary pane, double-click the applicable device.

          VLANs on the device that you double-clicked appear in the Summary pane.

          Step 3   Click the VLAN to which you want to apply a VACL.
          Step 4   From the Details pane, click the VLAN Details tab and expand the Advanced Settings section, if necessary.

          The VACL drop-down list appears in the Advanced Settings section.

          Step 5   From the VACL drop-down list, choose the VACL that you want to apply.
          Step 6   (Optional) From the menu bar, choose File > Save to apply your changes to the device.

          Field Descriptions for VACLs

          VLAN Access Map Entry: Details Tab

          Table 1 VLAN Access Map Entry: Details Tab

          Field

          Description

          Sequence Number

          Display only. Sequence number assigned to the rule.

          VLAN Access Map Entry: Details: Match Condition And Action Section

          Table 2  VLAN Access Map Entry: Details: Match Condition And Action Section

          Field

          Description

          Match ACL Type

          Type of ACL that the VLAN access map entry uses to filter traffic. Valid values are as follows:

          • IPv4 ACL—This is the default value.
          • IPv6 ACL
          • MAC ACL.

          ACLs

          Name of the ACL that the VLAN access map uses to filter traffic. By default, this list is blank.

          Action

          Action taken by the device when a packets is permitted by the VLAN access map entry. Valid values are as follows:

          • Drop—Stop processing the packet and drop it.
          • Forward—Continue processing the packet without modifying the destination. This is the default value.
          • Redirect—Continue processing the packet but send it to the interfaces that you choose from the Redirect Interfaces drop-down list.

          Log this entry

          Whether the device logs packets permitted by the VLAN access map entry. This check box appears only when you choose Drop from the Action drop-down list. By default, this check box is unchecked.

          Redirect Interfaces

          Interfaces to which the device forwards packets permitted by the VLAN access map entry. This check box appears only when you choose Redirect from the Action drop-down list. By default, this list is blank.

          Additional References for VACLs

          Standards

          Standards

          Title

          No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

          Feature History for VLAN ACLs

          This table lists the release history for this feature.

          Table 3 Feature History for VLAN ACLs

          Feature Name

          Releases

          Feature Information

          VLAN ACLs

          5.2(1)

          Added support for the Cisco Nexus 3000 Series Switches.

          VLAN ACLs

          5.1(1)

          No change from Release 5.0.

          VLAN ACLs

          5.0(2)

          No change from Release 4.2.

          VLAN access maps

          4.2(1)

          No change from Release 4.1.