[c-nsp] access lists on vlan interfaces

liviu.pislaru at gmail.com liviu.pislaru at gmail.com
Wed Apr 11 05:06:10 EDT 2007


hello,

VACL are a little bit different. 

Standard and extended IOS ACLs are configured on the INPUT and OUTPUT of 
router interfaces and, as such, are applied to routed packets. The use of IOS 
ACLs requires both a PFCx and a MSFCx on the Catalyst 6500 Series for 
example.

VLAN ACLs (VACLs) provide access control based on Layer 3 or Layer 4 
information for IP or IPX protocols. A VACL is applied to all packets 
(BRIDGED and ROUTED) on a VLAN and can be configured on any VLAN interface. 
VACLs are used for security packet filtering and redirecting traffic to 
specific physical switch ports. They are not defined by direction (input or 
output). VACL functionality requires a PFCx.

The VACL configuration in Cisco IOS is based on the traditional IOS ACL 
implementation. That is, it relies on the IOS access-list command to define 
the traffic matching parameters. From there, all configuration (including ACL 
reference and action) is done from the "vlan access-map" configuration mode.

Example:

(config)# vlan 100
(config)# access-list 101 permit ip any any
(config)# vlan access-map test
(config-access-map)# match ip address 101
(config-access-map)# action forward
(config)# vlan filter test vlan-list 100 
(SVI 100 is created automatically / it is not necessary for the interface to 
be configured or even in an "up" state for the VACL to operate properly.  )

--
liviu.

On Wednesday 11 April 2007 10:59, cisco at mbneo.com wrote:
> What about VACL? What is it for?
> What does VACL look like?
>
> Thanks
>
> > hi,
> >
> > think of a router as a circle with you inside (center of that circle) :).
> > inbound traffic is the traffic that come towards YOU through
> > interface/SVI you
> > want to configure ACL (SVI 100) an leaves the router through another
> > interface.
> >
> > outbound traffic is the destined traffic for vlan 100 that leaves the
> > router
> > through interface/SVI you want to configure ACL (SVI 100).
> >
> > as Dale said, when you apply ACL, try forget interface "Vlan100" is
> > virtual.
> >
> > --
> > liviu.
> >
> > On Wednesday 11 April 2007 02:59, Kyle Evans wrote:
> >> Hello,
> >>
> >> I'm wondering what the convention is for an access list on a vlan
> >> interface.  How do I tell what is inbound and what is outbound?  For
> >> example, if I have vlan 100 and a vlan interface 100 with ip address
> >> 192.168.1.1 that serves as a gateway for 192.168.1.0/24, is traffic from
> >> 192.168.1.0/24 to 192.168.1.1 inbound?  Or is traffic from the rest of
> >> the world back to 192.168.1.1 inbound?
> >>
> >>
> >> Kyle
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list