Configuring VLAN ACLs

This chapter describes how to configure VLAN ACLs (VACLs) on Cisco 7600 series routers.


Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco 7600 Series Routers Command References at this URL:

http://www.cisco.com/en/US/products/hw/routers/ps368/prod_command_reference_list.html


 

This chapter consists of these sections:

Understanding VACLs

These sections describe VACLs:

VACL Overview

VACLs can provide access control for all packet s that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLS are processed in hardware. VACLs use Cisco IOS ACLs. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware.

You can configure VACLs for IP, IPX, and MAC-Layer traffic. VACLs applied to WAN interfaces support only IP traffic for VACL capture.

When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming in to the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.


Note TCP Intercepts and Reflexive ACLs take precedence over a VACL action if these are configured on the same interface.

  • VACLs and CBAC cannot be configured on the same interface.
  • IGMP packets are not checked against VACLs.


 

Bridged Packets

Figure 38-1 shows a VACL applied on bridged packets.

Figure 38-1 Applying VACLs on Bridged Packets

 

Routed Packets

Figure 38-2 shows how ACLs are applied on routed and Layer 3-switched packets. For routed or Layer 3-switched packets, the ACLs are applied in the following order:

1. VACL for input VLAN

2. Input Cisco IOS ACL

3. Output Cisco IOS ACL

4. VACL for output VLAN

Figure 38-2 Applying VACLs on Routed Packets

 

Multicast Packets

Figure 38-3 shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order:

1. Packets that need multicast expansion:

a. VACL for input VLAN

b. Input Cisco IOS ACL

2. Packets after multicast expansion:

a. Output Cisco IOS ACL

b. VACL for output VLAN

3. Packets originating from router—VACL for output VLAN

Figure 38-3 Applying VACLs on Multicast Packets

 

Configuring VACLs

These sections describe how to configure VACLs:

VACL Configuration Overview

VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs (see the “Configuring MAC ACLs” section) and VLAN access maps.

VLAN access maps can be app

ed to VLANs or to WAN interfaces for VACL capture. VACLs attached to WAN interfaces support only standard and extended Cisco IOS IP ACLs.

Each VLAN access map can consist of one or more map sequences, each sequence with a match clause and an action clause. The match clause specifies IP, IPX, IPv6 or MAC ACLs for traffic filtering and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.

To use access control for both bridged and routed traffic, you can use VACLs alone or a combination of VACLs and ACLs. You can define ACLs on the VLAN interfaces to use access control for both the input and output routed traffic. You can define a VACL to use access control for the bridged traffic.

The following caveats apply to ACLs when used with VACLs:

  • Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.
  • VACLs are applied on packets before NAT translation. If the translated flow is not subject to access control, the flow might be subject to access control after the translation because of the VACL configuration.

The action clause in a VACL can be forward, drop, capture, or redirect. Traffic can also be logged. VACLs applied to WAN interfaces do not support the redirect or log actions.


Note VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.

  • If an empty or undefined ACL is specified in a VACL, any packets will match the ACL and the associated action is taken.

Note All the IP address related restrictions such as address compression that apply to RACL and PACL also apply to VACL.

  • While configuring the VACL, the LOG attribute from the ACE is always ignored.

Defining a VLAN Access Map

To define a VLAN access map, perform this task:

 

Command
Purpose

Router(config)# vlan access-map map_name [ 0-65535 ]

Defines the VLAN access map. Optionally, you can specify the VLAN access map sequence number.

Router(config)# no vlan access-map map_name 0-65535

Deletes a map sequence from the VLAN access map.

Router(config)# no vlan access-map map_name

Deletes the VLAN access map.

When defining a VLAN access map, note the following information:

  • To insert or modify an entry, specify the map sequence number.
  • If you do not specify the map sequence number, a number is automatically assigned.
  • You can specify only one match clause and one action clause per map sequence.
  • Use the no keyword with a sequence number to remove a map sequence.
  • Use the no keyword without a sequence number to remove the map.

Note While defining the VLAN access-map, you should use only single word as the access- map name and white spaces are not allowed in the access-map name. For example, you can use map_name to name the access-map, but you should not use multiple words such as map name. Effective from Cisco IOS release 12.2(33)SRE8, the length of the VLAN access-map name should not exceed 25 characters.


See the “VLAN Access Map Configuration and Verification Examples” section.

Configuring a Match Clause in a VLAN Access Map Sequence

To configure a match clause in a VLAN access map sequence, perform this task:

 

Command
Purpose

Router(config-access-map)# match { ip address { 1-199 | 1300-2699 | acl_name } | ipx address { 800-999 | acl_name }| mac address acl_name | ipv6}

Configures the match clause in a VLAN access map sequence.

Router(config-access-map)# no match { ip address { 1-199 | 1300-2699 | acl_name } | ipx address { 800-999 | acl_name }| mac address acl_name | ipv6 address acl_name}

Deletes the match clause in a VLAN access map sequence.

When configuring a match clause in a VLAN access map sequence, note the following information:

  • You can select one or more ACLs.
  • VACLs attached to WAN interfaces support only standard and extended Cisco IOS IP ACLs.
  • Use the no keyword to remove a match clause or specified ACLs in the clause.
  • For information about named MAC-Layer ACLs, refer to the “Configuring MAC ACLs” section.
  • For information about Cisco IOS ACLs, refer to the Cisco IOS Security Configuration Guide, Release 12.2, “Traffic Filtering and Firewalls,” at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html

See the “VLAN Access Map Configuration and Verification Examples” section.

Sample Configuration for Match Clause

The following example shows the configuration of an IPV6 based match.

Router(config)#vlan access-map new
Router(config-access-map)#match ipv6 address <acl_name>
Router(config-access-map)#action
Router(config-access-map)#action drop
Router(config-access-map)#end

Configuring an Action Clause in a VLAN Access Map Sequence

To configure an action clause in a VLAN access map sequence, perform this task:

 

Command
Purpose

Router(config-access-map)# action { drop [ log ]} | { forward [ capture ]} | { redirect {{ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}}

Configures the action clause in a VLAN access map sequence.

Router(config-access-map)# no action { drop [ log ]} | { forward [ capture ]} | { redirect {{ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}}

Deletes the action clause in from the VLAN access map sequence.

When configuring an action clause in a VLAN access map sequence, note the following information:

  • You can set the action to drop, forward, forward capture, or redirect packets.
  • VACLs applied to WAN interfaces support only the forward capture action. VACLs applied to WAN interfaces do not support the drop, forward, or redirect actions.
  • Forwarded packets are still subject to any configured Cisco IOS security ACLs.
  • The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured. For more information about the capture action, see the “Configuring a Capture Port” section.
  • VACLs applied to WAN interfaces do not support the log action.
  • When the log action is specified, dropped packets are logged in software. Only dropped IP packets can be logged.
  • The redirect action allows you to specify up to five interfaces, which can be physical interfaces or EtherChannels. You cannot specify packets to be redirected to an EtherChannel member or a VLAN interface.
  • The redirect interface must be in the VLAN for which the VACL access map is configured.
  • With a PFC3, if a VACL is redirecting traffic to an egress SPAN source port, SPAN does not copy the VACL-redirected traffic.
  • SPAN and RSPAN destination ports transmit VACL-redirected traffic.
  • Use the no keyword to remove an action clause or specified redirect interfaces.

See the “VLAN Access Map Configuration and Verification Examples” section.

Applying a VLAN Access Map

To apply a VLAN access map, perform this task:

 

Command
Purpose

Router(config)# vlan filter map_name { vlan-list vlan_list | interface type 1 number 2 }

Applies the VLAN access map to the specified VLANs or WAN interfaces.

Router(config)# no vlan filter map_name [ vlan-list vlan_list | interface type 1 number 2 ]

Removes the VLAN access map from the specified VLANs or WAN interfaces.

1.type = pos, atm, or serial

2.number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

When applying a VLAN access map, note the following information:

  • You can apply the VLAN access map to one or more VLANs or WAN interfaces.
  • The vlan_list parameter can be a single VLAN ID or a comma-separated list of VLAN IDs or VLAN ID ranges ( vlan_ID vlan_ID).
  • If you delete a WAN interface that has a VACL applied, the VACL configuration on the interface is also removed.
  • You can apply only one VLAN access map to each VLAN or WAN interface.
  • VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured. Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an administratively down Layer 3 VLAN interface to support the VLAN access map.
  • VACLs applied to VLANs are inactive if the Layer 2 VLAN does not exist or is not operational.
  • You cannot apply a VACL to a secondary private VLAN. VACLs applied to primary private VLANs also apply to secondary private VLANs.
  • Use the no keyword to clear VLAN access maps from VLANs or WAN interfaces.

See the “VLAN Access Map Configuration and Verification Examples” section.

Verifying VLAN Access Map Configuration

To verify VLAN access map configuration, perform this task:

 

Command
Purpose

Router# show vlan access-map [ map_name ]

Verifies VLAN access map configuration by displaying the content of a VLAN access map.

Router# show vlan filter [ access-map map_name | vlan vlan_id | interface type 3 number 4 ]

Verifies VLAN access map configuration by displaying the mappings between VACLs and VLANs.

3.type = pos, atm, or serial

4.number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

VLAN Access Map Configuration and Verification Examples

Assume IP-named ACL net_10 and any_host are defined as follows:

Router# show ip access-lists net_10
Extended IP access list net_10
permit ip 10.0.0.0 0.255.255.255 any
 
Router# show ip access-lists any_host
Standard IP access list any_host
permit any
 

This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)# vlan filter thor vlan-list 12-16

This example shows how to define and apply a VLAN access map to drop and log IP packets. In this example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:

Router(config)# vlan access-map ganymede 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action drop log
Router(config-access-map)# exit
Router(config)# vlan access-map ganymede 20
Router(config-access-map)# match ip address any_host
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)# vlan filter ganymede vlan-list 7-9
 

This example shows how to define and apply a VLAN access map to forward and capture IP packets. In this example, IP traffic matching net_10 is forwarded and captured and all other IP packets are dropped:

Router(config)# vlan access-map mordred 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward capture
Router(config-access-map)# exit
Router(config)# vlan filter mordred vlan-list 2, 4-6

Configuring a Capture Port

A port configured to capture VACL-filtered traffic is called a capture port.


Note To apply IEEE 802.1Q or ISL tags to the captured traffic, configure the capture port to trunk unconditionally (see the “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section and the “Configuring the Layer 2 Trunk Not to Use DTP” section).


To configure a capture port, perform this task:

 

Command
Purpose

Step 1

Router(config)# interface {{ type 5 slot/port }

Specifies the interface to configure.

Step 2

Router(config-if)# switchport capture allowed vlan { add | all | except | remove } vlan_list

(Optional) Filters the captured traffic on a per-destination-VLAN basis. The default is all.

Router(config-if)# no switchport capture allowed vlan

Clears the configured destination VLAN list and returns to the default value (all).

Step 3

Router(config-if)# switchport capture

Configures the port to capture VACL-filtered traffic.

Router(config-if)# no switchport capture

Disables the capture function on the interface.

5.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

When configuring a capture port, note the following information:

  • You can configure any port as a capture port.
  • The vlan_list parameter can be a single VLAN ID or a comma-separated list of VLAN IDs or VLAN ID ranges ( vlan_ID vlan_ID).
  • To encapsulate captured traffic, configure the capture port with the switchport trunk encapsulation command (see the “Configuring a Layer 2 Switching Port as a Trunk” section) before you enter the switchport capture command.
  • For unencapsulated captured traffic, configure the capture port with the switchport mode access command (see the “Configuring a LAN Interface as a Layer 2 Access Port” section) before you enter the switchport capture command.
  • The capture port supports only egress traffic. No traffic can enter the router through a capture port.
  • LI overrides VACL Capture.
  • VACL Capture and OAL are mutually exclusive features.
  • When the VACL capture is configured on an egress interface with another egress feature that requires software processing of the traffic, packets of the overlapping traffic may be captured twice.

This example shows how to configure a Fast Ethernet interface 5/1 as a capture port:

Router(config)# interface gigabitEthernet 5/1
Router(config-if)# switchport capture
Router(config-if)# end
 

This example shows how to display VLAN access map information:

Router# show vlan access-map mordred
Vlan access-map "mordred" 10
match: ip address net_10
action: forward capture
Router#
 

This example shows how to display mappings between VACLs and VLANs. For each VACL map, there is information about the VLANs that the map is configured on and the VLANs that the map is active on. A VACL is not active if the VLAN does not have an interface.

Router# show vlan filter
VLAN Map mordred:
Configured on VLANs: 2,4-6
Active on VLANs: 2,4-6
Router#

Configuring VACL Logging

When you configure VACL logging, IP or IPv6 packets that are denied generate log messages in these situations:

  • When the first matching packet is received
  • For any matching packets received during the last 5-minute interval
  • If the threshold is reached before the 5-minute interval

Log messages are generated on a per-flow basis. A flow is defined as packets with the same IP addresses and Layer 4 (UDP or TCP) port numbers. When a log message is generated, the timer and packet count is reset.

These restrictions apply to VACL logging:

  • Because of the rate-limiting function for redirected packets, VACL logging counters may not be accurate.
  • Only denied IP packets are logged.

To configure VACL logging, use the action drop log command action in VLAN access map submode (see the “Configuring VACLs” section for configuration information) and perform this task in global configuration mode to specify the global VACL logging parameters:

 

Command
Purpose

Step 1

Router(config)# vlan access-log maxflow max_number

Sets the log table size. The content of the log table can be deleted by setting the maxflow number to 0. The default is 500 with a valid range of 0 to 2048. When the log table is full, logged packets from new flows are dropped by the software.

Step 2

Router(config)# vlan access-log ratelimit pps

Sets the maximum redirect VACL logging packet rate. The default packet rate is 2000 packets per second with a valid range of 0 to 5000. Packets exceeding the limit are dropped by the hardware.

Step 3

Router(config)# vlan access-log threshold pkt_count

Sets the logging threshold. A logging message is generated if the threshold for a flow is reached before the 5-minute interval. By default, no threshold is set.

Step 4

Router(config)# exit

Exits VLAN access map configuration mode.

Step 5

Router# show vlan access-log config

(Optional) Displays the configured VACL logging properties.

Step 6

Router# show vlan access-log flow protocol {{ src_addr src_mask } | any | {host { hostname | host_ip }}} {{ dst_addr dst_mask } | any | {host { hostname | host_ip }}}

[vlan vlan_id ]

(Optional) Displays the content of the VACL log table.

Step 7

Router# show vlan access-log statistics

(Optional) Displays packet and message counts and other statistics.

This example shows how to configure global VACL logging in hardware:

Router(config)# vlan access-log maxflow 800
Router(config)# vlan access-log ratelimit 2200
Router(config)# vlan access-log threshold 4000

Displaying IPv6 VACL Logging

To display the contents of the IPv6 VACL log table, use the following command:

show vlan access-log v6flow protocol {{src_addr src_mask} | any | {host {hostname | host_ip}}} {{dst_addr dst_mask} | any | {host {hostname | host_ip}}}[vlan vlan_id]

The following examples shows sample outputs for the command.

Router#show vlan access-log v6flow icmp any any
Matched flows:
id prot src_ip dst_ip sport dport vlan mod/port count
total lastlog
--------------------------------------------------------------------------------
--------------
1 58 CACA::1 2009::10
129 0 102 7/2 4 5 01:13:06
Total number of matched entries: 1
 
 
Router#show vlan access-log v6flow ipv6 any any
Matched flows:
id prot src_ip dst_ip sport dport vlan mod/port count
total lastlog
--------------------------------------------------------------------------------
--------------
1 58 CACA::1 2009::10
129 0 102 7/2 4 5 01:13:06
Total number of matched entries: 1