VACL – VLAN Access Lists

IP access control lists – ACLs are used by routers to deny or forward specific traffic from passing through some network interface. We can say that ACLs are used when traffic travels from one network address space to other. Cisco Catalyst switch can also have an ACL applied within a VLAN. This special kind of ACL is called a VLAN access control list – VACL.

First configuration here is showing us how to configure a VACL that permits Telnet traffic to a host, which have the IP address 10.2.2.13,e and stopping all other traffic. In this example there is a vlan access-map named YESTOTELNET that is configured to match access list 120. For sequence number 10, the specified action is to forward traffic matching that access list. All other traffic is dropped because of a default implicit drop instruction, which drops all traffic not explicitly permitted. Finally, the VLAN filter (that is, the VACL) is applied to VLANs in the range 1 to 50.

Cisco Switch VACLs config

Switch1(config)#access-list 120 permit tcp any host 10.2.2.13 eq telnet
Switch1(config)#vlan access-map YESTOTELNET 10
Switch1(config-access-map)#match ip address 120
Switch1(config-access-map)#action forward
Switch1(config-access-map)#exit

Switch1(config)#vlan filter ALLOWTELNET vlan-list 1-50


Let’s dig a little deeper into VLAN Access Lists

Access lists are managing the traffic when it passes through a switch. Acess lists are filtering traffic using Ternary content-addressable memory – TCAM. Access lists are written into the TCAM and each ACL is applied to an interface, outbound or inbound. In this way switch can check packets and filter them with hardware chip and there is no switching slowdown. This kind of “fast” ACLs is called RACLs. Not all packets can be filtered in this way, only packets that pass between VLANs can.

At first you can be a little bit confused on the difference between a Router based Access List – RACL and a Vlan Access Control List – VACL. But the thing is simple. The most common way for network traffic control is using Access Control Lists. There are three types of access lists:

  • Router Access Control Lists( RACLs)
  • Port Access Control Lists (PACLs)
  • VLAN Access Control Lists (VACLs)

RACL – Router Access Control Lists is the most known Access Control List. When you think of Access lists you are basically thinking of RACLs. ACL abbreviation is used it means RACL. It is called (Router) RACL because is used to control router traffic for layer 3. PACLs are Port Access Control and they are used to control the traffic for inbound layer 2. It is only used inbound direction because there is a hardware limitation for outbound direction.

VLAN Access Control List is used to control the traffic within the VLAN and that one is the main theme of this article.

VACLs are a little bit different from RACLs. They are also merged into the TCAM, they can permit, deny, or redirect packets as they are matched but VACLs are also configured in a route map fashion, with a series of matching conditions and actions to take.

VACL Configuration example for Cisco Catalyst switch

VACLs are configured as a VLAN access map just like a route map. A VLAN access map consists statements, each having a common access-map name. We need to define the VACL with the following command:

Switch1(config)# vlan access-map YESTOTELNET 10

Access map statements are ordered in sequence-number order.

Each statement can have one or more matching conditions, followed by an action.

The matching conditions will identify the traffic that we want filter. Matching is always made by access lists. We will now make this mating condition and ut the access list number in it. After that we will make access list that will represent the matching condition:

Switch1(config-access-map)# match ip address 120
Switch1(config)#access-list 120 permit tcp any host 10.2.2.13 eq telnet

Matching is always made by access lists but ACL can be in different shapes. It can be  IP, IPX, or MAC address ACLs:

Switch1(config-access-map)# match ip address {acl-number | acl-name}
Switch1(config-access-map)# match ipx address {acl-number | acl-name}
Switch1(config-access-map)# match mac address acl-name

You can make several matching conditions and the first match triggers an action to take. Action is configured like this:

Switch1(config-access-map)#action forward

VACL have couple of different actions that can either drop a matching packet, forward it, or redirect it to another interface. The TCAM is responsible of enabling entire VACL match and action as packets are switched or bridged within a VLAN or routed into or out of a VLAN.

We are applying the VACL to a VLAN using this command:

Switch1(config)#vlan filter ALLOWTELNET vlan-list 1-50

We need to be sure that we understand how the VACL is applied. VACL is applied globally to one or more VLANs listed. It is not applied to a VLAN interface – SVI. The VLAN interfaces are the point where packets exits of enters a VLAN. It does not make sense to apply a VACL to those interfaces. VACLs needs to function within the VLAN itself, where there is no inbound or outbound direction.

Leave a Reply

%d bloggers like this: