Section 11-4. VLAN Access Control Lists | Cisco Field Manual. Catalyst Switch Configuration

11-4. VLAN Access Control Lists

Access control lists (ACLs) define how traffic is to be handled as it passes through a network device.
ACLs use addressing and port information to control conversations.
ACLs are typically implemented in routers, but new hardware allow Layer 2 and Layer 3 switches to consult the list before passing the packet.
ACLs enable users to configure any switch to control traffic based on Layer 3 and above of the OSI reference model.
These ACLs are mapped to a VLAN or a Layer 2 port to control traffic flows.
VACLs are controlled in hardware and are not supported on all platforms.
Currently VACLs are supported on the 6000 (with a Policy Feature Card [PFC] or PFC2), the 3550, and the 2950 series switches.

The VLAN ACL (VACL) is an ACL that specifies traffic parameters based on Layer 3 and above information that is applied to a Layer 2 VLAN or in some instances a Layer 2 interface. These lists offer a benefit over traditional router access lists of being applied in hardware and therefore being faster than traditional ACLs. They also add the capability to filter traffic within an IP subnet and beyond the IP subnet. Although the functionality is the same between operating systems, the configuration differs. This section is divided into two parts. The first set of commands specifies the VACL configuration on COS devices that support VACLs, and the second portion specifies the IOS VACLs. Use the steps in each section to configure and apply VACLs on your switch. These steps apply to only IP VACLs because this is a protocol that is supported for all the platforms listed. It is possible to configure IPX VACLs for some platforms. Although the syntax and process are the same, the protocol options differ for IPX.

NOTE

ACLs behave in the same manner on both routers and switches. This section does not discuss every option and configuration principal. For more on access list configuration, consult the Cisco Press titles Interconnecting Cisco Network Devices and Cisco Field Manual: Router Configuration.

COS VACL Configuration

These configuration steps apply to the Catalyst 6000 series switch with a PFC or PFC2 running the COS software.

Configure the access list:

COS	[View full width] set security acl ip {acl_name} {permit \| deny \| redirect mod/port} {protocol} {sourceaddress mask} [op] [srcport] {dest mask} [op] [destport] [before editbuffer_index \| modify editbuffer_index] [log]

To control the traffic, you must first specify which traffic it is you want to control and how you want to deal with that traffic. A VACL is a sequential list of entries that specify which traffic is controlled and how that traffic is controlled. To create the list, you type the command listed here for every set of conditions that you want to test. When a frame meets the criterion of an entry in the list (from the top down), that action is taken on the frame. If no entries are matched to the frame, the frame is dropped.

The command set security acl ip name specifies the name of an IP ACL that you are configuring. After you have specified a name, all entries that are to be checked against will have the same name. After the name is specified, the protocol specifications and actions follow. The first item after the name is the action. The permit option allows traffic that meets the specifications to be passed across the switch. The deny option drops packets that meet the specifications. The redirect option sends traffic to a specified mod/port on the switch instead of using the content addressable memory (CAM) table entry.

The protocol, address/mask, ports, and operator options enable you to specify the traffic flow by IP address and port information. You can use the keyword all in the place of the address/mask option.

By default all entries created in an ACL go at the bottom of the list; for a COS device, however, the ACL is written to a special edit buffer and are not part of the switch operation until they are committed. You can, using the before or modify keywords, either place the item before a particular entry in the edit buffer or modify (replace) an entry. To view the entries in an edit buffer that has not been committed to memory, use the command show security acl ip name editbuffer. You then use the edit buffer index numbers listed to modify or place the entries. The final option is to log the entries, which allows the switch to log only frames that have been denied by the access list.

Commit the ACL to the ternary content addressable memory (TCAM):

COS	commit security acl {name \| all}

After you have configured the VACL, it is only resident in the edit buffer and cannot be used by the switch until it has been written to the TCAM tables. Use the commit security acl command to place the information into the TCAM table for use by the switch. The all option commits all uncommitted VACLs, and the name option commits only the list specified.

Map the ACL to a VLAN:

COS	set security acl map acl_name vlan

After you have created and committed the VACL, you need to map it to a VLAN before it will control traffic for the switch. To map the VACL, use the command set security acl map followed by the VACL name and the VLAN to which it will be mapped. A VLAN can only have one VACL mapped to it for the control of traffic, but a VACL can be mapped to many VLANs.

Verification

To verify the configuration and mapping of COS VACLs on the switch, use one of the following commands:

COS	show security acl info [name \| all] show security acl map [name \| vlan \| all]

IOS VACL Configuration

IOS VACLs are configured as standard or extended IP access lists. Then those lists are mapped to a port or a VLAN. Currently, only the 6000 running Supervisor IOS, the 3550, and the 2950G switches support VACLs. Use these commands to configure the VACL option.

Configure the access list.

The first parameter that has to be configured is the list, which identifies traffic to be controlled by the list. For IOS ACLs, the list is either a number or a name. There are also various types of ACLsfor example, standard lists that specify source information and extended lists that specify source and destination. Use the commands in these steps to configure the access lists.

a. Configure a numbered standard access list:

IOS	[View full width] (global) access-list access-list-number {deny \| permit \| remark} {source source-wildcard \| host source \| any}

The command creates a standard ACL. The number range for standard ACLs is 1 to 99 and 1300 to 1999. The parameter permit allows traffic, and deny drops traffic. The remark parameter enables you to insert remarks into the list that provide information about the list and why parameters are added. For the permit or deny option, the address/mask enables you to control traffic from specified source addresses. You can use the keyword any to specify all source addresses.

b. Configure a numbered extended access list:

IOS

[View full width]

 (global) access-list access-list-number {deny |  permit | remark} protocol {source source-wildcard  | host source | any} [operator port] {destination  destination-wildcard | host destination | any}  [operator port]

The command creates a standard ACL. The number range for standard ACLs is 100 to 199 and 2000 to 2699. The parameter permit allows traffic, and deny drops traffic. The remark parameter enables you to insert remarks into the list that provide information about the list and why parameters are added.

The protocol parameter specifies which type of protocol within IP you are looking to match. Examples include udp or tcp. The protocol ip in this field would specify all IP traffic. The address/mask pair specifies the source and destination of the sending and receiving devices for which you are trying to control traffic. You can use the keyword any to specify all source or destination addresses. The operator and port options enable you to specify protocol- and application-specific ports.

c. Configure a named standard access list:

IOS	[View full width] (global) ip access-list standard {name} (std-acl) {deny \| permit} {source source-wildcard \| host source \| any}

For a standard-named ACL, the command ip access-list standard name indicates that you want to enter a configuration mode on the list specified by the name given. From there the switch will enter a mode that enables you to enter the options a line at a time until you exit the ACL configuration mode.

The parameter permit allows traffic, and deny drops traffic. For the permit or deny option, the address/mask pair specifies which source address will be controlled. You can use the keyword any to specify all source addresses.

d. Configure a named extended access list:

IOS

[View full width]

 (global) ip access-list extended {name} (extd-acl) {deny | permit} protocol {source  source-wildcard | host source | any} [operator  port] {destination destination-wildcard | host  destination | any} [operator port]

For an extended-named ACL, the command ip access-list extended name indicates that you want to enter a configuration mode on the list specified by the name given. From there the switch will enter a mode that enables you to enter the options a line at a time until you exit the ACL configuration mode.

The parameter permit allows traffic, and deny drops traffic. The protocol parameter specifies which type of protocol within IP you are looking to match. Examples include udp and tcp. The protocol ip in this field would specify all IP traffic. The address/mask pair specifies the source and destination of the sending and receiving devices for which you are trying to control traffic. You can use the keyword any to specify all source or destination addresses. The operator and port options enable you to specify protocol and application-specific ports.

Create a VLAN map.

If the list you have created is going to be mapped to a VLAN, you must configure a vlan access-map to specify an access map name and the action to be taken for a specific matched entry, as follows:

IOS	(global) vlan access-map name [number] (vlan-map) match ip address {aclname \| aclnumber} (vlan-map) action {drop \| forward}

An access map is a list of map clauses that specify what action is to be taken for packets on the VLAN. When creating the access map, it is given a name and then subsequent clauses are given numbers. Each clause is checked to find a match for the packets, and then the action specified for that clause is taken. If no clauses are found, the packets are dropped. To create an access map, use the vlan access-map command followed by a name. The number option is used for subsequent clauses in the access map.

After you have entered a map name, you will be placed in access map configuration mode, where you will specify an ACL name or number to identify the traffic to be acted upon for a clause. For ACLs that are included in this access map, a permit statement in the ACL is a match and a deny is not a match for the given clause. After a match has been identified by an ACL, the action command specifies whether to drop or permit the traffic. If none of the clauses match a given frame, the frame is dropped.

Apply the access lists.

After you have created an access list, you need to apply the list to the switch. The list is applied differently depending on the platform. For the 6000 running IOS or the 3550, use option a to map the list to a VLAN. If you are configuring an access list on a 2950, use option b to apply the list to an interface.

a. Apply a VLAN map to a VLAN:

IOS	(global) vlan filter mapname vlan-list list

To apply an access map to a VLAN for the IOS switches that support VACLs, use the vlan filter command. The mapname option specifies the name of the map created in Step 2. The vlan-list parameter is followed by a VLAN number or a list of VLAN numbers to which the ACL will be applied.

b. Apply an access list to an interface:

IOS	[View full width] (interface) ip access-group {access-list-number \| name} in

For the 2950, ACLs are applied to the Layer 2 interface. For these ACLs, traffic is permitted or denied by the entries of the ACL and not the clauses in the map statements. Use the ip access-group command followed by a number or ACL name to apply the list to an interface. The parameter in specifies the direction that the ACL is applied to an interface for Layer 2 ACLs. The packets can only be checked as they are entering the switch.

Verification

To verify configuration of IOS VACLs, use the following commands:

IOS	show ip access-lists [number \| name] show vlan access-map [mapname] show vlan filter [access-map name \| vlan vlan-id] show ip interface type number

Feature Example

This example shows the configuration for VACL filtering. In the list configured on this switch, you want to meet the following conditions:

Permit all IP traffic from subnet 10.101.0.0 to host 10.101.1.1.
Permit ICMP echo request from all hosts.
Permit ICMP echo reply from all host.
Deny all other ICMP traffic.
Permit all TCP traffic.
Deny all UDP traffic not specified above.
Permit all other IP traffic.

You want to apply this list to VLAN 101 on the switch.

An example of the Catalyst OS configuration follows:

 Catalyst (enable)>set security acl ip watchlist permit ip 10.101.0.0 0.0.255.255   host 10.101.1.1 Catalyst (enable)>set security acl ip watchlist permit icmp any any echo Catalyst (enable)>set security acl ip watchlist permit icmp any any echo Catalyst (enable)>set security acl ip watchlist permit icmp any any echo-reply Catalyst (enable)>set security acl ip watchlist deny icmp any any echo Catalyst (enable)>set security acl ip watchlist permit tcp any any Catalyst (enable)>set security acl ip watchlist deny udp any any Catalyst (enable)>set security acl ip watchlist permit ip any any Catalyst (enable)>commit security acl ip watchlist Catalyst (enable)>set security acl ip map watchlist 101

An example of the Supervisor IOS configuration follows:

 Switch(config)#ip access-list extended ip_subnet2host Switch(config-ext-acl)#permit ip 10.101.0.0 0.0.255.255 host 10.101.1.1 Switch(config)#ip access-list extended ping Switch(config-ext-acl)#permit icmp any any echo Switch(config-ext-acl)#permit icmp any any echo-reply Switch(config-ext-acl)#exit Switch(config)#ip access-list extended_icmp Switch(config-ext-acl)#permit icmp any any Switch(config-ext-acl)#exit Switch(config)#ip access-list extended_tcp Switch(config-ext-acl)#permit tcp any any Switch(config-ext-acl)#exit Switch(config)#ip access-list extended_udp Switch(config-ext-acl)#permit udp any any Switch(config-ext-acl)#exit Switch(config)#vlan access-map watchlist Switch(config-access-map)#match ip address ip_subnet2host Switch(config-access-map)#action forward Switch(config-access-map)#vlan access-map watchlist 10 Switch(config-access-map)#match ip address ping Switch(config-access-map)#action forward Switch(config-access-map)#vlan access-map watchlist 20 Switch(config-access-map)#match ip address ip_icmp Switch(config-access-map)#action drop Switch(config-access-map)#vlan access-map watchlist 30 Switch(config-access-map)#match ip address ip_tcp Switch(config-access-map)#action forward Switch(config-access-map)#vlan access-map watchlist 40 Switch(config-access-map)#match ip address ip_udp Switch(config-access-map)#action drop Switch(config-access-map)#vlan access-map watchlist 50 Switch(config-access-map)#action forward Switch(config-access-map)#exit Switch(config)#vlan filter watchlist vlan-list 101 Switch(config)#end Switch(config)#copy running-config startup-config