- New and Changed Information
- Index
- Preface
- Overview
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Source Guard
- Configuring Keychain Management
- Configuring Traffic Storm Control
Configuring VLAN ACLs
This chapter describes how to configure VLAN access lists (ACLs) on NX-OS devices.
This chapter includes the following sections:
•
Licensing Requirements for VACLs
•Feature History for VLAN ACLs
Information About VLAN ACLs
A VLAN ACL (VACL) is one application of a MAC ACL or IP ACL. You can configure VACLs to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction (ingress or egress).
For more information about the types and applications of ACLs, see the "Information About ACLs" section on page 7-1.
This section includes the following topics:
Access Maps and Entries
VACLs use access maps to contain an ordered list of one or more map entries. Each map entry associates IP or MAC ACLs to an action. Each entry has a sequence number, which allows you to control the precedence of entries.
When the device applies a VACL to a packet, it applies the action that is configured in the first access map entry that contains an ACL that permits the packet.
Actions
Each VLAN access map entry can specify one of the following actions:
•Forward—Sends the traffic to the destination determined by normal operation of the switch.
•Redirect—Redirects the traffic to one or more specified interfaces.
•Drop—Drops the traffic. If you specify drop as the action, you can also specify that the device logs the dropped packets.
Virtualization Support
The following information applies to VACLs used in Virtual Device Contexts (VDCs):
•ACLs are unique per VDC. You cannot use an ACL that you created in one VDC in a different VDC.
•Because ACLs are not shared by VDCs, you can reuse ACL names in different VDCs.
•The device does not limit ACLs or rules on a per-VDC basis.
Licensing Requirements for VACLs
The following table shows the licensing requirements for this feature:
Prerequisites for VACLs
VACLs have the following prerequisites:
•You must be familiar with VLANs to configure VACLs.
•You must be familiar with the concepts in the "Information About ACLs" section on page 7-1.
Guidelines and Limitations
VACLs have the following configuration guidelines and limitations:
•ACL statistics are not supported if the DHCP snooping feature is enabled.
•See the "Information About ACLs" section on page 7-1 section for more information about ACLs.
Configuring VACLs
Figure 9-1 shows the VLAN ACL content pane.
Figure 9-1 VLAN ACL Content Pane
This section includes the following topics:
•Removing a VACL or a VACL Entry
Adding a VACL
You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP or MAC ACL with an action to be applied to the matching traffic.
BEFORE YOU BEGIN
Ensure that the IP ACL or MAC ACL that you want to use in the VACL exists and is configured to filter traffic in the manner that you need for this application. For more information about configuring IP ACLs, see the "Configuring IP ACLs" section on page 7-1. For more information about configuring MAC ACLs, see the "Configuring MAC ACLs" section on page 8-1.
DETAILED STEPS
To add a VACL, follow these steps:
Step 1 From the Feature Selector pane, choose Security > Access Control > VLAN ACL.
The Summary pane displays available devices.
Step 2 From the Summary pane, double-click the device to which you want to add a VACL.
Step 3 From the menu bar, choose File > New > VLAN Access Map.
Below the device that you selected, a new row appears in the Summary pane.
Step 4 In the new row, enter a name for the VACL.
The VACL remains selected in the Summary pane.
Step 5 For each VLAN access map entry that you want to create, follow these steps:
a. From the menu bar, choose File > New > VLAN Access Map Entry.
Below the VACL, a new row appears in the Summary pane.
b. From the Details pane, click the Details tab and expand the Match Condition And Action section, if necessary.
c. From the Match ACL Type drop-down list, select the type of ACL that you want to use in the VACL. You can choose IPv4 ACL, IPv6 ACL, or MAC ACL.
The ACLs drop-down list contains ACLs that are the type you selected and that exist on the currently selected device.
d. From the ACLs drop-down list, select the ACL that you want to use.
e. From the Action drop-down list, select the action that the device should take upon traffic matching the VACL.
Step 6 From the menu bar, choose File > Save to apply your changes to the device.
Changing a VACL
You can change a VACL.
DETAILED STEPS
To create or change a VACL, follow these steps:
Step 1 From the Feature Selector pane, choose Security > Access Control > VLAN ACL.
The Summary pane displays available devices.
Step 2 From the Summary pane, double-click the device that contains the VACL and then click the VACL.
Step 3 (Optional) To add a VLAN access map entry, from the menu bar, choose File > New > VLAN Access Map Entry.
Below the VACL, the new VLAN access map entry appears in the Summary pane.
Step 4 (Optional) To change a new or existing VLAN access map entry, follow these steps:
a. Click the VLAN access map entry that you want to change.
b. From the Details pane, click the Details tab and expand the Match Condition And Action section, if necessary.
c. From the Match ACL Type drop-down list, select the type of ACL that you want to use in the VACL. You can choose IPv4 ACL, IPv6 ACL, or MAC ACL.
The ACLs drop-down list contains ACLs that are the type you selected and that exist on the currently selected device.
d. From the ACLs drop-down list, select the ACL that you want to use.
e. From the Action drop-down list, select the action that the device should take upon traffic matching the VACL.
Step 5 (Optional) If you want to move a VLAN access map entry to a different position in the VACL, click the entry in the Summary pane and then from the menu bar, choose one of the following, as applicable:
•Actions > Move Up
•Actions > Move Down
The entry swaps places and sequence numbers with the entry above it or below it, as you chose.
Step 6 (Optional) To remove a VLAN access map entry, click the VLAN access map entry and then choose Actions > Delete.
Step 7 From the menu bar, choose File > Save to apply your changes to the device.
Removing a VACL or a VACL Entry
You can remove a VACL, which means that you will delete the VLAN access map.
You can also remove a single VLAN access-map entry from a VACL.
BEFORE YOU BEGIN
Ensure that you know whether the VACL is applied to a VLAN. The device allows you to remove VACLs that are currently applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the device considers the removed VACL to be empty.
DETAILED STEPS
To remove a VACL or a VACL entry, follow these steps:
Step 1 From the Feature Selector pane, choose Security > Access Control > VLAN ACL.
Available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device from which you want to remove a VACL.
The VACLs on the device appear in the Summary pane.
Step 3 (Optional) If you want to delete a VACL, follow these steps:
a. Click the VACL that you want to remove.
b. From the menu bar, choose VLAN ACL > Delete.
The VACL disappears from the Summary pane.
Step 4 (Optional) If you want to delete a VLAN access map entry, follow these steps:
a. Double-click the VACL that contains the entry that you want to delete.
The VLAN access-map entries list below the VACL.
b. Click the VLAN access-map entry that you want to delete.
c. From the menu bar, choose Actions > Delete.
Step 5 From the menu bar, choose File > Save to apply your changes to the device.
Applying a VACL to a VLAN
You can apply a VACL to a VLAN.
BEFORE YOU BEGIN
If you are applying a VACL, ensure that the VACL exists and is configured to filter traffic in the manner that you need for this application. For more information about creating VACLs, see the "Adding a VACL" section.
If you are unapplying a VACL, ensure that you are unapplying the correct VACL and that you understand how the VACL is currently applied.
DETAILED STEPS
To apply a VACL to a VLAN, follow these steps:
Step 1 From the Feature Selector pane, choose Switching > VLAN.
Available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the applicable device.
VLANs on the device that you double-clicked appear in the Summary pane.
Step 3 Click the VLAN to which you want to apply a VACL.
Step 4 From the Details pane, click the VLAN Details tab and expand the Advanced Settings section, if necessary.
The VACL drop-down list appears in the Advanced Settings section.
Step 5 From the VACL drop-down list, choose the VACL that you want to apply.
Step 6 From the menu bar, choose File > Save to apply your changes to the device.
Field Descriptions for VACLs
This section includes the following topics:
•VLAN Access Map Entry: Details Tab
•VLAN Access Map Entry: Details: Match Condition And Action Section
VLAN Access Map Entry: Details Tab
|
|
|
|---|---|
Sequence Number |
Display only. Sequence number assigned to the rule. |
VLAN Access Map Entry: Details: Match Condition And Action Section
Additional References
For additional information related to implementing IP ACLs, see the following sections:
Related Documents
|
|
|
|---|---|
Concepts about ACLs |
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feature History for VLAN ACLs
Table 9-3 lists the release history for this feature.
Feedback