Configuring VLAN ACLs
This chapter describes how to configure VLAN access lists (ACLs) on NX-OS devices.
This chapter includes the following sections:
•Information About VLAN ACLs
•Licensing Requirements for VACLs
•Prerequisites for VACLs
•Guidelines and Limitations
•Configuring VACLs
•Verifying VACL Configuration
•Displaying and Clearing VACL Statistics
•Example Configuration for VACL
•Default Settings
•Additional References
Information About VLAN ACLs
A VLAN ACL (VACL) is one application of a Media Access Control (MAC) ACL or IP ACL. You can configure VACLs to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction (ingress or egress).
For more information about the types and applications of ACLs, see the "Information About ACLs" section on page 10-1.
This section includes the following topics:
•VACLs and Access Maps
•VACLs and Actions
•Statistics
•Session Manager Support
•Virtualization Support
VACLs and Access Maps
VACLs use access maps to link an IP ACL or a MAC ACL to an action. The device takes the configured action on packets permitted by the VACL.
VACLs and Actions
In access map configuration mode, you use the action command to specify one of the following actions:
•Forward—Sends the traffic to the destination determined by normal operation of the switch.
•Redirect—Redirects the traffic to one or more specified interfaces.
•Drop—Drops the traffic. If you specify drop as the action, you can also specify that the device logs the dropped packets.
Statistics
The device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.
Note The device does not support interface-level VACL statistics.
For each VLAN access map that you configure, you can specify whether the device maintains statistics for that VACL. This feature allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.
For information about displaying VACL statistics, see the "Displaying and Clearing VACL Statistics" section.
Session Manager Support
Session Manager supports the configuration of VACLs. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 4.0.
Virtualization Support
The following information applies to VACLs used in Virtual Device Contexts (VDCs):
•ACLs are unique per VDC. You cannot use an ACL that you created in one VDC in a different VDC.
•Because ACLs are not shared by VDCs, you can reuse ACL names in different VDCs.
•The device does not limit ACLs or rules on a per-VDC basis.
Licensing Requirements for VACLs
The following table shows the licensing requirements for this feature:
|
|
NX-OS |
VACLs require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.0. |
Prerequisites for VACLs
VACLs have the following prerequisites:
•You must be familiar with VLANs to configure VACLs.
•You must be familiar with the concepts in the "Information About ACLs" section on page 10-1.
Guidelines and Limitations
VACLs have the following configuration guidelines and limitations:
•We recommend that you perform ACL configurations using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 4.0.
•ACL statistics are not supported if the DHCP snooping feature is enabled.
•See the "Information About ACLs" section on page 10-1 section for more information about ACLs.
Configuring VACLs
This section includes the following topics:
•Creating or Changing a VACL
•Removing a VACL
•Applying a VACL to a VLAN
Creating or Changing a VACL
You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP or MAC ACL with an action to be applied to the matching traffic.
BEFORE YOU BEGIN
Ensure that the IP ACL or MAC ACL that you want to use in the VACL exists and is configured to filter traffic in the manner that you need for this application. For more information about configuring IP ACLs, see the "Configuring IP ACLs" section on page 10-1. For more information about configuring MAC ACLs, see the "Configuring MAC ACLs" section on page 11-1.
SUMMARY STEPS
1. config t
2. vlan access-map map-name
3. match ip address ip-access-list
match mac address mac-access-list
4. action {drop | forward | redirect}
5. [no] statistics per-entry
6. show running-config aclmgr
7. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: switch# config t switch(config)# |
Enters global configuration mode. |
Step 2 |
vlan access-map map-name
Example: switch(config)# vlan access-map acl-mac-map switch(config-access-map)# |
Enters access map configuration mode for the access map specified. |
Step 3 |
match ip address ip-access-list
Example: switch(config-access-map)# match mac address acl-ip-lab |
Specifies an IPv4 ACL for the map. |
match mac address mac-access-list
Example: switch(config-access-map)# match mac address acl-mac-01 |
Specifies a MAC ACL for the map. |
Step 4 |
action {drop | forward | redirect}
Example: switch(config-access-map)# action forward |
Specifies the action that the device applies to traffic that matches the ACL. The action command supports many options. For more information, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0. |
Step 5 |
[no] statistics per-entry
Example: switch(config-access-map)# statistics per-entry |
(Optional) Specifies that the device maintains global statistics for packets that match the rules in the VACL. The no option stops the device from maintaining global statistics for the VACL. |
Step 6 |
show running-config aclmgr
Example: switch(config-access-map)# show running-config aclmgr |
(Optional) Displays the ACL configuration. |
Step 7 |
copy running-config startup-config
Example: switch(config-access-map)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Removing a VACL
You can remove a VACL, which means that you will delete the VLAN access map.
BEFORE YOU BEGIN
Ensure that you know whether the VACL is applied to a VLAN. The device allows you to remove VACLs that are currently applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the device considers the removed VACL to be empty.
SUMMARY STEPS
1. config t
2. no vlan access-map map-name
3. show running-config aclmgr
4. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: switch# config t switch(config)# |
Enters global configuration mode. |
Step 2 |
no vlan access-map map-name
Example: switch(config)# no vlan access-map acl-mac-map |
Removes the VLAN access map configuration for the specified access map. |
Step 3 |
show running-config aclmgr
Example: switch(config)# show running-config aclmgr |
(Optional) Displays the ACL configuration. |
Step 4 |
copy running-config startup-config
Example: switch(config)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Applying a VACL to a VLAN
You can apply a VACL to a VLAN.
BEFORE YOU BEGIN
If you are applying a VACL, ensure that the VACL exists and is configured to filter traffic in the manner that you need for this application. For more information about creating VACLs, see the "Creating or Changing a VACL" section.
If you are unapplying a VACL, ensure that you are unapplying the correct VACL and that you understand how the VACL is currently applied. For more information about verifying the VACL configuration, see the "Verifying VACL Configuration" section.
SUMMARY STEPS
1. config t
2. [no] vlan filter map-name vlan-list list
3. show running-config aclmgr
4. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: switch# config t switch(config)# |
Enters global configuration mode. |
Step 2 |
[no] vlan filter map-name vlan-list list
Example: switch(config)# vlan filter acl-mac-map vlan-list 1-20,26-30 switch(config)# |
Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL. |
Step 3 |
show running-config aclmgr
Example: switch(config)# show running-config aclmgr |
(Optional) Displays the ACL configuration. |
Step 4 |
copy running-config startup-config
Example: switch(config)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Verifying VACL Configuration
To display VACL configuration information, use one of the following commands:
|
|
show running-config aclmgr |
Displays the ACL configuration, including VACL-related configuration. |
show vlan filter |
Displays information about VACLs that are applied to a VLAN. |
show vlan access-map |
Displays information about VLAN access maps. |
For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0.
Displaying and Clearing VACL Statistics
To display or clear VACL statistics, use one of the following commands:
|
|
show vlan access-list |
Displays the VACL configuration. If the VLAN access-map includes the statistics per-entry command, then the show vlan access-list command output includes the number of packets that have matched each rule. |
clear vlan access-list counters |
Clears statistics for all VACLs or for a specific VACL. |
For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0.
Example Configuration for VACL
The following example shows how to configure a VACL to forward traffic permitted by a MAC ACL named acl-mac-01 and how to apply the VACL to VLANs 50 through 82.
vlan access-map acl-mac-map
match mac address acl-mac-01
vlan filter acl-mac-map vlan-list 50-82
Default Settings
Table 12-1 lists the default settings for VACL parameters.
Additional References
For additional information related to implementing IP ACLs, see the following sections:
•Related Documents
•Standards
Related Documents
|
|
Concepts about ACLs |
Information About ACLs, page 10-1 |
VACL commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0 |
Standards
|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |