Home > Articles > Cisco Network Technology > General Networking > VLAN Access Control Lists

VLAN Access Control Lists

Article Description

The latest generation of Cisco switching engines open up security and QoS, presenting new concepts for the campus network. Learn the steps to be taken to change with the times.

Configuring VACLs

All in all, VACLs offer all the advantages of extended ACLs on a router with none of the penalties. To get a better understanding of VACLs and VACL configuration, take a look at the following scenario:

Company ILB has determined that the new security policy for all access devices is to be implemented at the access level using Catalyst 6006s with PFCs in the wiring closets. The new policy dictates that access devices in the closet should only be able to ping the router but not communicate directly with the router using IP packets in any other way (for example, telnet, TFTP). Also, no user should be able to communicate directly with any other user in the subnet. Furthermore, management decided that no device should be allowed to issue and ICMP echo request to any other devices in any network.

In an effort to accomplish this policy, a VACL named accesspolicy has been created as a test policy for VLAN 101. The router for VLAN 1 is 172.16.101.1 and the subnet is 172.16.101.0/24. The following set of commands define this policy:

Cat6K (enable) set security acl ip accesspolicy permit icmp any host 
172.16.101.1
accesspolicy editbuffer modified. Use 'commit' command to apply changes.
Cat6K (enable) set security acl ip accesspolicy deny ip 172.16.101.0 0.0.0.255 
172.16.1.0 0.0.0.255
accesspolicy editbuffer modified. Use 'commit' command to apply changes.
Cat6K (enable) set security acl ip accesspolicy deny icmp any any echo
accesspolicy editbuffer modified. Use 'commit' command to apply changes.
Cat6K (enable) set security acl ip accesspolicy permit ip any any
accesspolicy editbuffer modified. Use 'commit' command to apply changes.

By showing the security ACL information, we note at this point in time, no ACLs have been defined:

Cat6K (enable) show sec acl info all
No ACLs have been defined yet.

Currently, the list exists only in what is known as the editbuffer, a portion of volatile memory, in the switch. We must commit these changes in the editbuffer to the VACL ASIC with the commit command, but before we do this, we might want to review the contents of the editbuffer with the following commands:

Cat6K (enable) show sec acl editbuffer info all
ACL                Type Status
-------------------------------- ---- -------------------
accesspolicy                      IP   Not Committed

Cat6K (enable) show security acl info accesspolicy editbuffer
set security acl ip accesspolicy
---------------------------------------------------
1. permit icmp any host 172.16.101.1 
2. deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255 
3. deny icmp any any echo 
4. permit ip any any 
ACL accesspolicy Status: Not Committed

Now that we are satisfied with the VACL, it needs to be committed to the TCAM:

Cat6K (enable) commit security acl accesspolicy
ACL commit in progress.

ACL 'accesspolicy' successfully committed.

Finally, the policy needs to be mapped to the VLAN for which it will be applied:

Cat6K (enable) set security acl map accesspolicy 101
Mapping in progress.

ACL accesspolicy successfully mapped to VLAN 101.

To verify the list or the mappings, use the following show commands:

Cat6K (enable) show security acl info accesspolicy
set security acl ip accesspolicy
---------------------------------------------------
1. permit icmp any host 172.16.101.1 
2. deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255 
3. deny icmp any any echo 
4. permit ip any any 

Cat6K (enable) show security acl 
ACL                Type VLANS
-------------------------------- ---- -----
accesspolicy                      IP   101

or

Cat6K (enable) show security acl map accesspolicy
ACL accesspolicy is mapped to VLANs: 
101
5. Modifying VACLs | Next Section Previous Section