Configuring VLAN ACLs

This chapter describes how to configure VLAN access lists (ACLs) on Cisco NX-OS devices.

This chapter includes the following sections:

VLAN ACLs

A VLAN ACL is a network security rule set that

  • applies to all packets that are routed into, out of, or bridged within a VLAN,

  • filters or redirects traffic within the VLAN for security purposes, and

  • directionless and does not distinguish between ingress and egress.

VLAN access maps and entries

VACLs use access maps to contain an ordered list of map entries. Each map entry associates an IP or MAC ACL with an action. Each entry has a sequence number. The sequence number determines the precedence of entries.

When the device applies a VACL to a packet, it uses the action configured in the first access map entry with an ACL that permits the packet.

Actions in VACLs

In access map configuration mode, you use the action command to specify one of the following actions:

  • Forward: sends the traffic to the destination determined by the normal operation of the device.

  • Redirect: redirects the traffic to one or more specified interfaces.

  • Drop: drops the traffic. If you specify drop as the action, you can also specify that the device logs the dropped packets.

VACL statistics

You can view global statistics for each rule in a VACL. When you apply a VACL to multiple VLANs, the rule statistics show the sum of packet matches (hits) on all interfaces where you applied the VACL.


Note

You cannot view VACL statistics at the interface level.

For each VLAN access map you configure, you decide whether to keep statistics for that VACL. Turn VACL statistics on or off to monitor filtered traffic or troubleshoot VLAN access map configuration.

VACLs in Session Manager

A Session manager VACL is a configuration feature that

  • allows you to verify ACL configurations prior to applying them,

  • ensures required resources are available before committing changes, and

  • helps prevent errors in running configurations.

For more information about Session Manager, see Cisco Nexus 9000 Series NX-OS System Management Configuration Guide .

Licensing Requirements for VACLs

This table shows the licensing requirements for this feature.

Product

License Requirement

Cisco NX-OS

VACLs require no license. Any feature not included in a license package is bundled with the image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisite requirements for VACLs

Learn about the prerequisites you need to configure VACLs on your network devices. Make sure the IP access control list (ACL) or MAC ACL you use for a VACL exists. Configure it to filter traffic according to your specified criteria.

Guidelines and Limitations for VACLs

VACLs have the following configuration guidelines:

  • Cisco recommends using the Session Manager to configure ACLs. This feature allows you to verify the ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide.

  • If you try to apply too many ACL entries, the configuration might be rejected.

  • VACL redirects to SPAN destination ports are not supported.

  • VACL logging is not supported.

  • TCAM resources are not shared when a VACL is applied to multiple VLANs.

  • Beginning with Cisco NX-OS Release 7.0(3)I6(1), Cisco Nexus 9200 and 9300-EX Series switches support the VACL redirect option. The redirect is permitted to one physical or port-channel interface.

  • Deny statements are not supported on VACLs. Alternatively, you can use permit statements with the action 'drop' to achieve a similar outcome.

  • When configuring a VACL with the "redirect" option, the interface that you define as the redirect interface, must be configured as a member of the VLAN which you apply this VACL to. This VLAN must also be in the forwarding state on this interface for the redirection to work. If these conditions are not met, then the switch will drop the packets which are matched by the VACL.

  • VACLs are not supported on Cisco Nexus 9500 Series switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards.

The following guidelines apply to VACLs for VXLANs:

  • VACLs applied on a VXLAN VLAN in the access to network direction (Layer 2 to Layer 3 encapsulation path) are supported on the inner payload.

  • We recommend using VACLs on the access side to filter out traffic entering the overlay network.

  • Egress VACLs for decapsulated VXLAN traffic are not supported.

Default settings for VACLs

This table lists the default settings for VACL parameters.

Table 1. Default VACL Parameters

Parameters

Default

VACLs

No IP access control lists (ACLs) exist by default.

ACL rules

Implicit rules apply to all access control lists (ACLs).

Configuring VACLs

Create a VACL entry

You can create a VACL or add entries to an existing VACL. In both cases, you create a VACL entry, which is a VLAN access-map entry that associates one or more ACLs with an action to be applied to the matching traffic.

Before you begin

To use an ACL in the VACL, make sure it already exists and is configured to filter traffic as needed for this application.

Procedure

Step 1

Enter the global configuration mode using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Enter VLAN access-map configuration mode for the specified VLAN access map using the vlan access-map map-name [ sequence-number ] command.

Example:

switch(config)# vlan access-map acl-mac-map
switch(config-access-map)#

  • If the VLAN access map does not exist, the device creates it.

  • If you do not specify a sequence number, the device creates a new entry whose sequence number is 10 greater than the last sequence number in the access map.

Step 3

Specify an ACL for the access-map entry using one of the following commands:

  • match { ip | ipv6 } address ip-access-list
  • match mac address mac-access-list

Example:

switch(config-access-map)# match mac address acl-ip-lab

Example:

switch(config-access-map)# match mac address acl-mac-01

Step 4

Specify the action that the device applies to traffic that matches the ACL using the action { drop | forward | redirect } command.

Example:

switch(config-access-map)# action forward

Example:

switch(config-access-map)# vlan access-map vacl1
switch(config-access-map)# action redirect e1/1
switch(config-access-map)# action redirect po100

The action command supports the drop , forward, and redirect options.

Step 5

(Optional) Specify that the device maintains global statistics for packets that match the rules in the VACL using the [ no ] statistics per-entry command.

Example:

switch(config-access-map)# statistics per-entry

The no option stops the device from maintaining global statistics for the VACL.

Step 6

(Optional) Display the ACL configuration using the show running-config aclmgr command.

Example:

switch(config-access-map)# show running-config aclmgr

Step 7

(Optional) Copy the running configuration to the startup configuration using the copy running-config startup-config command.

Example:

switch(config-access-map)# copy running-config startup-config

A VACL entry is created or updated. Traffic is filtered, redirected, or forwarded, according to your configuration.

What to do next

  • Verify operation by using the appropriate show commands.

  • Review device behavior for correct traffic processing.

Remove a VACL or VACL entry

Remove a VLAN access control list (VACL) or an individual entry from a VACL in your network switch configuration.

Perform this task if you need to delete a VACL or a specific VACL entry. You can delete the VLAN access map as part of this process.

To remove a VACL or VACL entry, complete these steps.

Before you begin

Ensure that you know whether the VACL is applied to a VLAN. The device allows you to remove VACLs that are currently applied. Removing a VACL does not affect the configuration of VLANs where the VACL was applied. After removal, the device treats the VACL as an empty configuration.

Procedure

Step 1

Enter the global configuration mode using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Delete the VLAN access map configuration for the specified access map using the no vlan access-map map-name [ sequence-number ] command.

Example:

switch(config)# no vlan access-map acl-mac-map 10

The command removes only the specified entry if you provide thesequence-number argument and the VACL contains more than one entry.

Step 3

(Optional) Display the ACL configuration using the show running-config aclmgr command.

Example:

switch(config)# show running-config aclmgr

Step 4

(Optional) Copy the running configuration to the startup configuration using the copy running-config startup-config command.

Example:

switch(config)# copy running-config startup-config

The specified VACL or VACL entry is removed from the device configuration.

What to do next

Verify that the intended VACL or entry is deleted and that network access policies function as expected.

Apply a VACL to your VLAN

You can apply a VACL to a VLAN.

Before you begin

Before you apply a VACL, make sure that the VACL exists and filters traffic for your application.

Procedure

Step 1

Enter global configuration mode using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Apply the VACL to the specified VLANs using the [ no ] vlan filter map-name vlan-list list command.

Example:

switch(config)# vlan filter acl-mac-map vlan-list 1-20,26-30
switch(config)#

Use the no option to not apply the VACL.

Step 3

(Optional) Display the ACL configuration using the show running-config aclmgr command.

Example:

switch(config)# show running-config aclmgr

Step 4

(Optional) Copy the running configuration to the startup configuration using the copy running-config startup-config command.

Example:

switch(config)# copy running-config startup-config

Verify the VACL configuration

Use these commands to verify VACL (VLAN Access Control List) configuration.

Table 2. Commands for VACL configuration verification.

Command

Purpose

show running-config aclmgr [all]

Displays the ACL configuration, including the VACL-related configuration.

Note

 
This command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.

show startup-config aclmgr [all]

Displays the ACL startup configuration.

Note

 
This command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.

show vlan filter

Displays information about VACLs that are applied to a VLAN.

show vlan access-map

Displays information about VLAN access map.

Commands for monitor and clear VACL statistics

Use one of these commands to monitor or clear VACL statistics.

Table 3. Commands for monitoring and clearing VACL statistics

Command

Purpose

show vlan access-list

Displays the VACL configuration. If the VLAN access-map includes the statistics per-entry command, the show vlan access-list command output includes the number of packets that have matched each rule.

clear vlan access-list counters

Clears statistics for VACLs.

Configuration example for VACLs

Configure a VACL to forward traffic permitted by a MAC ACL named acl-mac-01 and apply the VACL to VLANs 50 to 82.

configuration terminal 
vlan access-map acl-mac-map
match mac address acl-mac-01
action forward 
vlan filter acl-mac-map vlan-list 50-82

Additional references for VACLs

Use this table to find documents about VACL configuration and related topics.

Table 4. Related documents

Related Topic

Document Title

QoS configuration

Cisco Nexus 9000 Series NX-OS Quality of Service Configuration Guide