C H A P T E R
Configuring VLAN ACLs
This chapter describes how to configure VLAN access lists (ACLs) on NX-OS devices. This chapter includes the following sections:
• • • • • • • • • • •
Information About VLAN ACLs, page 13-1 Licensing Requirements for VACLs, page 13-3 Prerequisitesfor VACLs, page 13-3 Guidelines and Limitations, page 13-3 Configuring VACLs, page 13-3 Verifying VACL Configuration, page 13-8 Displaying and Clearing VACL Statistics, page 13-9 Example Configuration for VACL, page 13-9 Default Settings, page 13-9 Additional References, page 13-9 Feature History for VLAN ACLs, page 13-10
Information About VLAN ACLs
A VLAN ACL (VACL) is one application of aMAC ACL or IP ACL. You can configure VACLs to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction (ingress or egress). For more information about the types and applications of ACLs, see the “Information About ACLs”section on page 11-1. This section includes the following topics:
• • • • •
Access Maps and Entries, page 13-2 Actions, page 13-2 Statistics, page 13-2 Session Manager Support, page 13-2 Virtualization Support, page 13-2
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.1 OL-18345-01
Chapter 13 Information About VLAN ACLs
Configuring VLAN ACLs
S e n d d o cu m e n t c o m m e n t s t o n ex u s 7 k - d o c f e e d b a ck @ c i s c o . c o m
Access Maps and Entries
VACLs use access maps to contain an ordered list of one or more map entries. Each map entry associates IP or MAC ACLs to an action. Each entry has a sequence number, which allows you to control the precedence of entries. When the device applies a VACL to a packet, it applies theaction that is configured in the first access map entry that contains an ACL that permits the packet.
Each VLAN access map entry can specify one of the following actions:
• • •
Forward—Sends the traffic to the destination determined by normal operation of the switch. Redirect—Redirects the traffic to one or more specified interfaces. Drop—Drops the traffic. If you specify drop as theaction, you can also specify that the device logs the dropped packets.
In access map configuration mode, you use the action command to specify the action for a map entry.
The device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which thatVACL is applied.
The device does not support interface-level VACL statistics. For each VLAN access map that you configure, you can specify whether the device maintains statistics for that VACL. This feature allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration. For information about displayingVACL statistics, see the “Displaying and Clearing VACL Statistics” section on page 13-9.
Session Manager Support
Session Manager supports the configuration of VACLs. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see theCisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 4.1.
The following information applies to VACLs used in Virtual Device Contexts (VDCs):
ACLs are unique per VDC. You cannot use an ACL that you created in one VDC in a different VDC. Because ACLs are not shared by VDCs, you can reuse ACL names in different VDCs.
Cisco Nexus 7000...