Vacl details
Some friends who are new to ACL (access control lists) may be unfamiliar with vacl. This article will provide a comprehensive description of the use of vacl on Cisco COs and iOS vswitches.
The same as the regular access list, dynamic access list, and self-reverse access list, vacl is a part of the ACL extension application. It defines information traffic based on three layers or more, the corresponding parameters are used for two-layer VLANs. Vacls are mostly used in hardware, and are much faster than traditional vro access lists. Currently, Cisco 6000 (Policy Feature Card, policy Feature Card, 1), 3750, 3650, 3550, and 2950g series vswitches support vacl.Cos-based vacl Configuration
The vacl is the same as the common ACL, and the list is matched in order. All ACLs with the same ACL number form a group. When judging a data frame, the entries in the same group are used to judge one by one from top to bottom, when an entry is satisfied, the judgment on the data frame is terminated. The basic configuration method is as follows:
1. Configure ACL
Set security acl ip {acl_name} {permit | deny | redirect MOD/port} {Protocol} {sourceaddress mask} [op] [srcport] {DEST mask} [op] [destport] [before editbuffer_index | modify editbuffer_index] [log] B
After the set security ACL ip command, specify the name of the ip acl, followed by the description of the Protocol and the measures taken. Permit | deny: permit is allowed, and deny is a discard packet. If the Redirect option is added, the system does not use cam (content addressable memory), but sends traffic to the port corresponding to the specified MOD/port on the switch. For cos switches, the ACL is first written into a special buffer until it is submitted, and is not used as the entry currently running the switch, the before and modify parameters refer to placing the configured ACL entries before a list or modifying their parameters.
2. Write to TCAM
After configuring the ACL, it is only in the editing buffer. We must use the commit Security ACL command to write the configuration to TCAM (ternary content addressable memory ). The complete command parameters are as follows:
Commit Security ACL {name | all}
The name option is to submit only the specified name list (you can use show Security acl ip name editbuffer to view control entries not submitted to the content in the editing buffer ), the all option is used to submit all unwritten vacls.
3. Map to VLAN
Both vacl and ACL must be mapped to the target object after submission, for example, interface vlan1 // ip access-group 101 out: apply access-list 101 to the out direction of the vlan1 interface. 101 indicates the ACL number and is associated with the corresponding ACL. Out is to filter packets in the direction on the router interface. There are two options: In and out. The configuration of COS vacl is the same as above. It is embodied in: a VLAN can only have one vacl ing for it, but a vacl can be simultaneously called by multiple VLANs. The command parameters are as follows:
Set security ACL map acl_name VLAN Configuration Based on iOS vacl
For small and medium-sized enterprises and campus network users, 3750, 3550, and 2950 of the number of switches is relatively large, the previous cos-based vacl configuration is not universal. Then, we will focus on how to configure the vacl on the switch based on the IOS system.
Configure different access lists
1. Number-based access list
Standard IP Address Access Control List: a standard IP address access control list matches the source address or a part of the source address in the IP address package, and can take "deny" or "allow" actions on the matched packets. The serial number ranges from 1 to 1 ~ The access control list of 99 is the standard IP Address Access Control List. Command Format:
Router (config) # access-list [list number] [permit | deny | remark] [host/any] [source address] [wildcard-mask] [log]
List number indicates the number range: 1 ~ 99; permit/deny indicates whether the packets meeting the access table items are allowed through the interface or filtered out; Source Address; host/any indicates the host matching address, host indicates an exact match. The screen size is 0.0.0.0, and any indicates any host.
Extended access list: the extended access list mainly adds the packet filtering capability. An Extended IP Address Access Table allows users to filter the protocol, port, and specific packet fields of the Source and Destination packets based on the content. Protocol items define the protocols to be filtered, such as IP, TCP, UDP, and ICMP. protocol options are one of the features that differentiate standard access lists. In addition, the extended list number ranges from 100 ~ 199, 2000 ~ 2699. Syntax:
Router (config) # access-list-number [permit | deny] [Protocol | Protocol-number] source-Wildcard [Source-port] Destination destination-Wildcard [destination-port] [established]
2. Name-based access list
The name-based access list follows the same logic as the numbered IP address access control list, so that names can more easily remember the access control list function, the named list allows more than 99 standard control lists and 100 extended control lists. A control list that is better than a serial number can delete a specific statement, while a serial number Access Control List can only delete the entire access control list. Syntax:
Router (config) # IP Access-list {standard | extended} Name
IP Access-list {standard | extended} name indicates the list configuration mode specified by the name to be entered. All permit and deny operations are configured in this mode.
Create VLAN ing
Vacl is different from the standard ACL in that it maps the created ACL to a VLAN. There are three steps to create a ing:
(Global) VLAN access-Map Name [number]
(VLAN-map) Match ip address {aclname | aclnumber}
(VLAN-map) action {drop | forward}
Step 1 it is recommended that the name after VLAN access-map be defined in a targeted or prompt manner, and the number option is used in subsequent clauses. If grouping is set here, each clause must undergo matching detection until no matching statement is found, the group is discarded.
The first step is to enter the access ing configuration mode. The parameter after Match ip address is the name or number of the ACL you configured earlier.
Step 3: The switch matches the ACL. The parameter after the action command indicates whether the traffic is allowed or dropped ).
Apply to vswitch
After the previous configuration is complete, use the VLAN filter command to apply the access list to the switch. The format is as follows:
(Global) VLAN filter mapname VLAN-list
The mapname parameter corresponds to the ing name created by the VLAN access-map command, and the list parameter is the VLAN serial number. After the configuration is complete, you can use the show command to check:
Show IP Access-lists [number | Name]
Show VLAN access-map [mapname]
Show VLAN filter [access-Map Name | VLAN-id]
Show IP interface type number How to configure the vacl! I. Introduction to vacl:
Vacl, also known as VLAN access ing, is applied to all communication streams in a VLAN. Vacl supports Filtering Based on ethertype and MAC address. Like the route ing table based on Cisco IOS, the order of entries in the vacl is not irrelevant. Currently, the ipvst6500 series switches support multiple vacl operations: Forwarding, discarding, and redirection. Ii. configuration steps:
1. specify the name and serial number of the VLAN access ing table:
VLAN access-map map_name [seq #]
2. Configure the match clause
Match ip address ................................
3. Configure ACL operations
Action ....................................... .............
4. Apply the VLAN access ing table to a VLAN
VLAN filter map_map vlan_list list Iii. Example:
Confit t
Access-list 111 permit TCP ANY EQ FTP
VLAN access-map mm 100
Matches IP address 100
Action drop
Exit
VLAN filter mm VLAN-List 1 |
