Configuring VLAN ACLs

This chapter describes how to configure VLAN access lists (ACLs) on Cisco NX-OS devices.

This chapter includes the following sections:

VLAN ACLs

A VLAN ACL is a network security rule set that

  • applies to all packets that are routed into, out of, or bridged within a VLAN,

  • filters or redirects traffic within the VLAN for security purposes, and

  • directionless and does not distinguish between ingress and egress.

VLAN access maps and entries

VACLs use access maps to contain an ordered list of map entries. Each map entry associates an IP or MAC ACL with an action. Each entry has a sequence number. The sequence number determines the precedence of entries.

When the device applies a VACL to a packet, it uses the action configured in the first access map entry with an ACL that permits the packet.

Actions in VACLs

In access map configuration mode, you use the action command to specify one of the following actions:

  • Forward: sends the traffic to the destination determined by the normal operation of the device.

  • Redirect: redirects the traffic to one or more specified interfaces.

  • Drop: drops the traffic. If you specify drop as the action, you can also specify that the device logs the dropped packets.

VACL statistics

You can view global statistics for each rule in a VACL. When you apply a VACL to multiple VLANs, the rule statistics show the sum of packet matches (hits) on all interfaces where you applied the VACL.


Note

You cannot view VACL statistics at the interface level.

For each VLAN access map you configure, you decide whether to keep statistics for that VACL. Turn VACL statistics on or off to monitor filtered traffic or troubleshoot VLAN access map configuration.

VACLs in Session Manager

A Session manager VACL is a configuration feature that

  • allows you to verify ACL configurations prior to applying them,

  • ensures required resources are available before committing changes, and

  • helps prevent errors in running configurations.

For more information about Session Manager, see Cisco Nexus 9000 Series NX-OS System Management Configuration Guide .

Prerequisite requirements for VACLs

Learn about the prerequisites you need to configure VACLs on your network devices. Make sure the IP access control list (ACL) or MAC ACL you use for a VACL exists. Configure it to filter traffic according to your specified criteria.

Guidelines and Limitations for VACLs

VACLs have the following configuration guidelines:

  • Cisco recommends using the Session Manager to configure ACLs. This feature allows you to verify the ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide.

  • If you try to apply too many ACL entries, the configuration might be rejected.

  • VACL redirects to SPAN destination ports are not supported.

  • VACL logging is not supported.

  • TCAM resources are not shared when a VACL is applied to multiple VLANs.

  • Cisco Nexus 9200 and 9300-EX Series switches support the VACL redirect option. The redirect is permitted to one physical or port-channel interface.

  • VACLs are not supported on Cisco Nexus 9500 Series switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards.

  • Deny statements are not supported on VACLs. Alternatively, you can use permit statements with the action 'drop' to achieve a similar outcome.

  • When configuring a VACL with the "redirect" option, the interface that you define as the redirect interface, must be configured as a member of the VLAN which you apply this VACL to. This VLAN must also be in the forwarding state on this interface for the redirection to work. If these conditions are not met, then the switch will drop the packets which are matched by the VACL.

  • To clear VACL counters, you must ensure that you have active VLAN filters configured.

  • Beginning with Cisco NX-OS Release 10.1(2), VACL is supported on the N9K-X9624D-R2 and N9K-C9508-FM-R2 platform switches.

The following guidelines apply to VACLs for VXLANs:

  • VACLs applied on a VXLAN VLAN in the access to network direction (Layer 2 to Layer 3 encapsulation path) are supported on the inner payload.

  • We recommend using VACLs on the access side to filter out traffic entering the overlay network.

  • Egress VACLs for decapsulated VXLAN traffic are not supported.

Default Settings for VACLs

This table lists the default settings for VACL parameters.

Table 1. Default VACL Parameters

Parameters

Default

VACLs

No IP ACLs exist by default

ACL rules

Implicit rules apply to all ACLs

Configuring VACLs

Creating a VACL or Adding a VACL Entry

You can create a VACL or add entries to an existing VACL. In both cases, you create a VACL entry, which is a VLAN access-map entry that associates one or more ACLs with an action to be applied to the matching traffic.

Before you begin

Ensure that the ACLs that you want to use in the VACL exist and are configured to filter traffic in the manner that you need for this application.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

vlan access-map map-name [sequence-number]

Example:

switch(config)# vlan access-map acl-mac-map
switch(config-access-map)#

Enters VLAN access-map configuration mode for the VLAN access map specified. If the VLAN access map does not exist, the device creates it.

If you do not specify a sequence number, the device creates a new entry whose sequence number is 10 greater than the last sequence number in the access map.

Step 3

Enter one of the following commands:

  • match {ip | ipv6} address ip-access-list
  • match mac address mac-access-list

Example:

switch(config-access-map)# match mac address acl-ip-lab

Example:

switch(config-access-map)# match mac address acl-mac-01

Specifies an ACL for the access-map entry.

Step 4

action {drop | forward | redirect}

Example:

switch(config-access-map)# action forward

Example:

switch(config-access-map)# vlan access-map vacl1
switch(config-access-map)# action redirect e1/1
switch(config-access-map)# action redirect po100

Specifies the action that the device applies to traffic that matches the ACL.

The action command supports the drop, forward, and redirect options.

Step 5

(Optional) [no] statistics per-entry

Example:

switch(config-access-map)# statistics per-entry
 (Optional)

Specifies that the device maintains global statistics for packets that match the rules in the VACL.

The no option stops the device from maintaining global statistics for the VACL.

Step 6

(Optional) show running-config aclmgr

Example:

switch(config-access-map)# show running-config aclmgr
 (Optional)

Displays the ACL configuration.

Step 7

(Optional) copy running-config startup-config

Example:

switch(config-access-map)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Removing a VACL or a VACL Entry

You can remove a VACL, which means that you will delete the VLAN access map.

You can also remove a single VLAN access-map entry from a VACL.

Before you begin

Ensure that you know whether the VACL is applied to a VLAN. The device allows you to remove VACLs that are currently applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the device considers the removed VACL to be empty.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

no vlan access-map map-name [sequence-number]

Example:

switch(config)# no vlan access-map acl-mac-map 10

Removes the VLAN access map configuration for the specified access map. If you specify the sequence-number argument and the VACL contains more than one entry, the command removes only the entry specified.

Step 3

(Optional) show running-config aclmgr

Example:

switch(config)# show running-config aclmgr
 (Optional)

Displays the ACL configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Applying a VACL to a VLAN

You can apply a VACL to a VLAN.

Before you begin

If you are applying a VACL, ensure that the VACL exists and is configured to filter traffic in the manner that you need for this application.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] vlan filter map-name vlan-list list

Example:

switch(config)# vlan filter acl-mac-map vlan-list 1-20,26-30
switch(config)#

Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL.

Step 3

(Optional) show running-config aclmgr

Example:

switch(config)# show running-config aclmgr
 (Optional)

Displays the ACL configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Verifying the VACL Configuration

To display VACL configuration information, perform one of the following tasks:

Command

Purpose

show running-config aclmgr [all]

Displays the ACL configuration, including the VACL-related configuration.

Note

 
This command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.

show startup-config aclmgr [all]

Displays the ACL startup configuration.

Note

 
This command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.

show vlan filter

Displays information about VACLs that are applied to a VLAN.

show vlan access-map

Displays information about VLAN access maps.

Monitoring and Clearing VACL Statistics

To monitor or clear VACL statistics, use one of the commands in this table.

Command

Purpose

show vlan access-list

Displays the VACL configuration. If the VLAN access-map includes the statistics per-entry command, the show vlan access-list command output includes the number of packets that have matched each rule.

clear vlan access-list counters

Clears statistics for VACLs.

Configuration Example for VACLs

The following example shows how to configure a VACL to forward traffic permitted by a MAC ACL named acl-mac-01 and how to apply the VACL to VLANs 50 through 82: 

conf t 
vlan access-map acl-mac-map
  match mac address acl-mac-01
  action forward 
vlan filter acl-mac-map vlan-list 50-82

Additional References for VACLs

Related Documents

Related Topic

Document Title

QoS configuration

Cisco Nexus 9000 Series NX-OS Quality of Service Configuration Guide