Access control lists (ACLs) provide the ability to filter ingress and egress traffic based on conditions specified in the ACL.
- Cisco IOS ACLs are applied to Layer 3 interfaces. They filter traffic routed between VLANs.
- VACLs control access to the VLAN of all packets (bridged and routed). Packets can either enter the VLAN through a Layer 2 port or through a Layer 3 port after being routed. You can also use VACLs to filter traffic between devices in the same VLAN.
- Port ACLs perform access control on all traffic entering the specified Layer 2 port.
You can apply only one IP access list and one MAC access list to a Layer 2 interface
- Port ACL
A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software).
When you create a port ACL, an entry is created in the ACL TCAM. You can use the show tcam counts command to see how much TCAM space is available.
The PACL feature does not affect Layer 2 control packets received on the port.
You can use the access-group mode command to change the way that
PACLs interact with other ACLs.
PACLs use the following modes:
- Prefer port mode — If a PACL is configured on a Layer 2 interface, the PACL takes effect and overwrites the effect of other ACL
- Merge mode —In this mode, the PACL, VACL, and Cisco IOS ACLs are merged in the ingress direction.
- VLAN ACL
for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN
interface. VACLs are processed in the ACL TCAM hard ware. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware. You can configure VACLs for IP and MAC-layer traffic. VACLs applied to WAN interfaces support only IP traffic for VACL capture.
If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action is to deny the packet
Consider the following guidelines when configuring PACLs:
- There can be at most one IP access list and one MAC access list applied to the same Layer 2 interface per direction.
- PACLs are not applied to IPv6, MPLS, or ARP messages.
- An IP access list filters only IPv4 packets. ForIP access lists, you can define a standard, extended,or named access-list.
- A MAC access list filters ingress packets that are of an unsupported type (not IP, IPv6, ARP, or MPLS packets) based on the fields of the Ethernet datagram. You can define only named MAC access lists.
- The number of ACLs and ACEs that can be configured as part of a PACL are bounded by the hardware resources on the switch.Those hardware resources are shared by various ACL features (such as VACLs) that are configured on the system. If there are insufficient hardware resources to program a PACL in hardware, the PACL is not applied.
- PACL does not support the access-list log and reflect/evaluate keywords. These keywords are ignored if you add them to the access list for a PACL.
- The access group mode can change the way PACLs interact with other ACLs. To maintain consistent behavior across Cisco platforms, use the default access group mode (merge mode)
Switch(config)#ip access-list extended simple-ip-aclThis example shows how to configure an interface to use prefer port mode:
Switch(config-ext-nacl)#permit tcp any any
Switch(config-ext-nacl)#end
Switch(config)#mac access-list extended simple-mac-acl
Switch(config-ext-macl)#permit host 000.000.011 any
Switch(config-ext-macl)#end
Switch(config)# interface
Switch(config-if)#ip access-group simple-ip-acl in[out]
Switch(config-if)#mac access-group simple-mac-acl in[out]
Switch(config)#interface gigabitEthernet 0/1
Switch(config-if)#access-group mode prefer port
This example shows how to configure an interface to use merge mode:
Switch(config)#interface gigabitEthernet 0/1Consider the following guidelines when configuring VACLs:
Switch(config-if)#access-group mode merge
- VACLs use standard and extended Cisco IOS IP and MAC layer-named ACLs and VLAN access maps.
- VLAN access maps can be applied to VLANs or to WAN interfaces for VACL capture. VACLs attached to WAN interfaces support only standard and extended Cisco IOS IP ACLs.
- Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry,it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
- To apply access control to both bridged and routed traffic, you can use VACLs alone or a combination of VACLs and ACLs. You can define ACLs on the VLAN interfaces to apply access control to both the ingress and egress routed traffic. You can define a VACL to apply access control to the bridged traffic.
- The following caveats apply to ACLs when used with VACLs:
- Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.
- VACLs are applied on packets before NAT translation. If the translated flow is not subject to access control, the flow might be subject to access control after the translation because of theVACL configuration.
- The action clause in a VACL can be forward, drop, capture, or redirect. Traffic can also be logged. VACLs applied to WAN interfaces do not support the redirect or log actions.
- VACLs cannot be applied to IGMP, MLD, or PIM traffic.
vlan access-map map-name [sequence-number]
match {ip|ipv6} address ip-access-list
match mac address mac-access-list
action {drop|forward|redirect}
vlan filter vlan-acl-map-name vlan-list [vlan range]
No comments:
Post a Comment