Contents
- Configuring VLAN ACLs
- Information About VLAN ACLs
- VLAN Access Maps and Entries
- VACLs and Actions
- VACL Statistics
- Session Manager Support for VACLs
- Licensing Requirements for VACLs
- Prerequisites for VACLs
- Guidelines and Limitations for VACLs
- Default Settings for VACLs
- Configuring VACLs
- Creating a VACL or Adding a VACL Entry
- Changing a VACL Entry
- Removing a VACL or a VACL Entry
- Applying a VACL to a VLAN
- Verifying the VACL Configuration
- Monitoring and Clearing VACL Statistics
Configuring VLAN ACLs
This chapter describes how to configure VLAN access lists (ACLs) on Cisco NX-OS devices.
This chapter includes the following sections:
- Information About VLAN ACLs
- Licensing Requirements for VACLs
- Prerequisites for VACLs
- Guidelines and Limitations for VACLs
- Default Settings for VACLs
- Configuring VACLs
- Verifying the VACL Configuration
- Monitoring and Clearing VACL Statistics
Information About VLAN ACLs
A VLAN ACL (VACL) is one application of an IP ACL. You can configure VACLs to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction (ingress or egress).
Note
If an IPv4 ACL, applied as a VLAN ACL, contains one or more ACEs with logical operators for TCP/UDP port numbers, the port numbers are matched in the ingress direction but ignored in the egress direction.
Related Concepts
VLAN Access Maps and Entries
VACLs use access maps to contain an ordered list of one or more map entries. Each map entry associates IP ACLs to an action. Each entry has a sequence number, which allows you to control the precedence of entries.
When the device applies a VACL to a packet, it applies the action that is configured in the first access map entry that contains an ACL that permits the packet.
VACLs and Actions
In access map configuration mode, you use the action command to specify one of the following actions:
- Forward
Sends the traffic to the destination determined by the normal operation of the switch.
- Drop
Drops the traffic. If you specify drop as the action, you can also specify that the device logs the dropped packets.
VACL Statistics
The device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.
Note
The device does not support interface-level VACL statistics.
For each VLAN access map that you configure, you can specify whether the device maintains statistics for that VACL. This feature allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.
Related Concepts
Licensing Requirements for VACLs
This table shows the licensing requirements for this feature.
Guidelines and Limitations for VACLs
VACLs have the following configuration guidelines:
- We recommend that you perform ACL configurations using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see the .
- ACL statistics are not supported if the DHCP snooping feature is enabled.
- The maximum number of supported VACL entries is 64,000 for devices without an XL line card and 128,000 for devices with an XL line card.
- If you try to apply too many ACL entries to a non-XL line card, the configuration is rejected.
- Each forwarding engine on an F1 Series module supports 1000 ingress ACL entries, with 984 entries available for user configuration. The total number of VLAN ACL entries for the F1 Series modules is from 1000 to 16,000, depending on which forwarding engines the policies are applied.
- Each of the 16 forwarding engines in an F1 Series module supports up to 250 IPv6 addresses across multiple ACLs.
- F1 Series modules do not support ACL logging.
- F1 Series modules do not support bank chaining.
- Each VLAN ACL can support up to six different Layer 4 operations for F1 Series modules.
- If the same ACL is applied on multiple VLANs of the same port for F1 Series modules (for example, VLAN 10, 20), it is programmed multiple times (in this case, on VLAN 10 and VLAN 20).
- Each of the 12 forwarding engines in an F2 Series module has 16,000 total TCAM entries, equally split across two banks. 168 default entries are reserved. Each forwarding engine also has 512 IPv6 compression TCAM entries.
Configuring VACLs
- Creating a VACL or Adding a VACL Entry
- Changing a VACL Entry
- Removing a VACL or a VACL Entry
- Applying a VACL to a VLAN
Creating a VACL or Adding a VACL Entry
You can create a VACL or add entries to an existing VACL. In both cases, you create a VACL entry, which is a VLAN access-map entry that associates one or more ACLs with an action to be applied to the matching traffic.
Before You BeginSUMMARY STEPSEnsure that the ACLs that you want to use in the VACL exists and are configured to filter traffic in the manner that you need for this application.
1. configure terminal
2. vlan access-map map-name [sequence-number]
3. Enter one of the following commands:
4. action {drop | forward | redirect}
5. (Optional) [no] statistics per-entry
6. (Optional) show running-config aclmgr
7. (Optional) copy running-config startup-config
DETAILED STEPS
Changing a VACL Entry
SUMMARY STEPSYou change a VACL entry in any of the following ways:
- Add VLAN access-map entries to an existing VACL.
- Change VLAN access-map entries.
- Configure whether the device maintains statistics for the VACL.
Note
You cannot change the sequence number of a VLAN access-map entry. Instead, create a new VLAN access-map entry with the desired sequence number and remove the VLAN access-map entry with the undesired sequence number.
1. configure terminal
2. vlan access-map map-name [sequence-number]
3. (Optional) Enter [no] match {ip | ipv6} address ip-access-list.
4. (Optional) action {drop | forward | redirect}
5. (Optional) [no] statistics per-entry
6. (Optional) show running-config aclmgr
7. (Optional) copy running-config startup-config
DETAILED STEPS
Removing a VACL or a VACL Entry
You can remove a VACL, which means that you will delete the VLAN access map.
You can also remove a single VLAN access-map entry from a VACL.
Before You BeginSUMMARY STEPSEnsure that you know whether the VACL is applied to a VLAN. The device allows you to remove VACLs that are currently applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the device considers the removed VACL to be empty.
1. configure terminal
2. no vlan access-map map-name [sequence-number]
3. (Optional) show running-config aclmgr
4. (Optional) copy running-config startup-config
DETAILED STEPS
Applying a VACL to a VLAN
Before You BeginSUMMARY STEPSIf you are applying a VACL, ensure that the VACL exists and is configured to filter traffic in the manner that you need for this application.
1. configure terminal
2. [no] vlan filter map-name vlan-list list
3. (Optional) show running-config aclmgr
4. (Optional) copy running-config startup-config
DETAILED STEPS
Verifying the VACL Configuration
To display VACL configuration information, perform one of the following tasks.
Command
Purpose
show running-config aclmgr [all]
Displays the ACL configuration, including the VACL-related configuration.
Note Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.
show startup-config aclmgr [all]
Displays the ACL startup configuration.
Note Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.
show vlan filter
Displays information about VACLs that are applied to a VLAN.
show vlan access-map
Displays information about VLAN access maps.
Monitoring and Clearing VACL Statistics
To monitor or clear VACL statistics, use one of the commands in this table. For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
Command
Purpose
show vlan access-list
Displays the VACL configuration. If the VLAN access-map includes the statistics per-entry command, then the show vlan access-list command output includes the number of packets that have matched each rule.
clear vlan access-list counters
Clears statistics for all VACLs or for a specific VACL.