Table of Contents
Advertisement
176 Cisco LAN Switching Configuration Handbook
The VLAN ACL (VACL) is an ACL that specifies traffic parameters based on Layer 3 and
above information that is applied to a Layer 2 VLAN or in some instances a Layer 2 inter-
face. These lists offer a benefit over traditional router access lists of being applied in hard-
ware and, therefore, being faster than traditional ACLs. They also add the capability to
filter traffic within an IP subnet and beyond the IP subnet. Although the functionality is
the same between operating systems, the configuration differs. This section is divided
into two parts. The set of commands specifies the VACL configuration on IOS devices
that support VACLs. Use the steps in each section to configure and apply VACLs on your
switch. These steps apply to only IP VACLs because this is a protocol that is supported
for all the platforms listed. It is possible to configure IPX VACLs for some platforms.
Although the syntax and process are the same, the protocol options differ for IPX.
Note ACLs behave in the same manner on both routers and switches. This section does
not discuss every option and configuration principal. For more on access list configura-
tion, consult the Cisco Press title Cisco Field Manual: Router Configuration.
IOS VACL Configuration
IOS VACLs are configured as standard or extended IP access lists. Then those lists are
mapped to a port or a VLAN. Currently, the 6500,4500, 3750, and 3560 switches sup-
port VACLs. Use these commands to configure the VACL option.
Configure the access list.
1.
The first parameter that must be configured is the list, which identifies traffic to be
controlled by the list. For IOS ACLs, the list is either a number or a name. There are
also various types of ACLs, for example, standard lists that specify source informa-
tion and extended lists that specify source and destination. Use the commands in
these steps to configure the access lists.
a. Configure a numbered standard access list:
b. Configure a numbered extended access list:
(global) access-list access-list-number {deny | permit | remark} {source
source-wildcard | host source | any}
The command creates a standard ACL. The number range for standard ACLs is 1
to 99 and 1300 to 1999. The parameter permit enables traffic, and deny drops
traffic. The remark parameter enables you to insert remarks into the list that pro-
vide information about the list and why parameters are added. For the permit or
deny option, the address/mask enables you to control traffic from specified
source addresses. You can use the keyword any to specify all source addresses.
(global) access-list access-list-number {deny | permit | remark} protocol
{source source-wildcard | host source | any} [operator port]
{destination destination-wildcard | host destination | any} [operator
port]
Hide quick links:
Advertisement
Table of Contents
