Configuring VLAN security using access lists

Cisco multilayer switches support three types of ACLs:

  • Router access control lists (RACLs) – Supported in the ternary content addressable memory (TCAM) hardware on Cisco multilayer switches
  • Quality of service (QoS) access control lists – Supported in the TCAM hardware on Cisco multilayer switches
  • VLAN access control lists (VACLs) – Supported in software on Cisco multilayer switches

Catalyst switches support four ACL lookups per packet: input and output security ACL and input and output QoS ACL.

Catalyst switches use two methods of performing a merge: order independent and order dependent. With order independent merge, ACLs are transformed from a series of order dependent actions to a set of order independent masks and patterns. The resulting access control entry can be very large. The merge is processor- and memory-intensive.

Order dependent merge is a recent improvement on some Catalyst switches in which ACLs retain their order dependent aspect. The computation is much faster and is less processor-intensive.

RACLs are supported in hardware through IP standard ACLs and IP extended ACLs, with permit and deny actions. ACL processing is an intrinsic part of the packet-forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline whether ACLs are configured or not. With RACLs, access list statistics and logging are not supported.

VACLs (also called VLAN access maps in IOS software) apply to all traffic on the VLAN. They filter based on Ethertype and MAC address traffic.

VACLs follow route-map conventions, where map sequences are checked in order.

When a matching permit access control entry (ACE) is encountered, the switch takes the action. When a matching deny ACE is encountered, the switch checks the next ACL in the sequence or checks the next sequence.

Three VACL actions are permitted:

  • Permit (with capture, Catalyst 6500 only)
  • Redirect (Catalyst 6500 only)
  • Deny (with logging, Catalyst 6500 only)

The VACL capture option copies traffic to specified capture ports. VACL ACEs installed in hardware are merged with RACLs and other features.

Two features are supported only on the Catalyst 6500:

  • VACL capture – Forwarded packets are captured on capture ports. The capture option is only on permit ACEs. The capture port can be an IDS monitor port or any Ethernet port. The capture port must be in an output VLAN for Layer 3-switched traffic.
  • VACL redirect – Matching packets are redirected to specified ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where VACL is applied.

To configure VACLs, complete these steps.  – 

Lab Activity

Lab Exercise 1: Catalyst 2950 and 3550 Series Intra-VLAN Security

Configure intra-VLAN security with Access Control Lists (ACLs) using the command-line interface (CLI) mode.

Lab Activity

Lab Exercise 2: Configuring VLAN Maps

In this lab, students will configure VLAN Access Control Lists (ACLs) for IP addresses in a common VLAN.