VLAN Access Control Lists Operation
Imagine the advantages of having the ACL lookup performed at the same time as the L2 or L3 switching lookup, and imagine that the ACL is not a software list but one that has been committed to hardware, and that this entire process all occurs at wire speed. Seems too good to be true? Well, the fact is that all this is possible with the latest generation of L2 and L3 switching engines. The Catalyst 6000 series of switches has this switching engine known as a Policy Feature Card (PFC) that can be purchased as an option when you select the supervisor engine. The PFC contains specialized Application Specific Integrated Circuits (ASICs) that have a direct connection to the switching bus or fabric of the switch. These ASICs are responsible for Layer 2, Layer 3, and security/QoS control within the switch. Each of these ASICs performs its function simultaneously and reports the results internally about the control information that is to be sent to the intended forwarding port (such as forward or drop). From a security perspective, this process results in wire speed ACLs on the switch.
Beyond the fact that the ACLs are checked in hardware, it is also important to note that the security function does not require interaction with any type of route processor. This means that a switch with a PFC only can enforce a security policy without having to send packets to the distribution device. This means that you have not only eliminated the cost issue, but you have also eliminated the wasted bandwidth. (You just have to convince accounting to let you replace your old L2 switch with 6000+PFC.) In any event, these ACLs can vastly improve the design and performance of a switched network.
These ACLs are configured in memory committed to a ternary CAM (TCAM) table in hardware and applied to VLANs on the Catalyst 6000 series products. They are referred to as VLAN access control lists (VACLs) and work just like the extended ACLs on a router. That is, they have the following characteristics:
VACLs are a list of permit or deny statements.
VACL statements are processed from top down until a match is made.
Every VACL has an implicit deny at the end of the list.
Only one VACL can be mapped to a VLAN.
IP VACLs can specify both source and destination addresses and ports.
Also, other features make VACLs unlike extended access lists:
VACLs are not applied to an individual port, but are applied to a VLAN; therefore, all ports are in the VLAN.
These lists are not applied in any direction (in or out). The packets are checked as they cross the bus.
Because VACLs check all packets traveling through the VLAN, they can filter traffic flowing between devices in the same VLAN (i.e., the same subnet).
VACLs can be edited without affecting traffic flow.
Entries can be added in any part of the list (not just the end) and individual list entries can be modified.
The changes can be reviewed and modified before they are applied to the switch.