VLAN Access Lists

Access lists can manage or control traffic as it passes through a switch. When normal access lists are configured on a Catalyst switch, they filter traffic through the use of the Ternary content-addressable memory (TCAM). Recall from Chapter 2, Switch Operation, that access lists (also known as router access lists, or RACLs) are merged or compiled into the TCAM. Each ACL is applied to an interface according to the direction of traffic inbound or outbound. Packets then can be filtered in hardware with no switching performance penalty. However, only packets that pass between VLANs can be filtered this way. Packets that stay in the same VLAN do not cross a VLAN or interface boundary and do not necessarily have a direction in relation to an interface. These packets also might be non-IP, non-IPX, or completely bridged; therefore, they never pass through the multilayer switching mechanism. VLAN access lists (VACL) are filters that directly can affect how packets are handled within a VLAN. VACLs are somewhat different from RACLs or traditional access control lists. Although they, too, are merged into the TCAM, they can permit, deny, or redirect packets as the are matched. VACLs also are configured in a route map fashion, with a series of matching conditions and actions to take.

VACL Configuration
VACLs are configured as a VLAN access map in much the same format as a route map. A VLAN access map consists of one or more statements, each having a common map name. First, you define the VACL with the following global configuration command: Switch(config)# vlan access-map map-name [sequence-number] Access map statements are evaluated in sequence according to the sequence-number. Each statement can contain one or more matching conditions, followed by an action. Next, define the matching conditions that identify the traffic to be filtered. Matching is performed by access lists (IP, IPX, or MAC address ACLs), which you must configure independently. Configure a matching condition with one of the following access map configuration commands: Switch(config-access-map)# match ip address {acl-number | acl-name} Switch(config-access-map)# match ipx address {acl-number | acl-name} Switch(config-access-map)# match mac address acl-name You can repeat these commands to define several matching conditions; the first match encountered triggers an action to take. Define the action with the following access map configuration command: A VACL can either drop a matching packet, forward it, or redirect it to another interface. The TCAM performs the entire VACL match and action as packets are switched or bridged within a VLAN or routed into or out of a VLAN. Finally, you must apply the VACL to a VLAN using the following global configuration command: Switch(config)# vlan filter map-name vlan-list vlan-list

the packet is forwarded. Instead.168.99. the VACL needs to function within the VLAN itself. where there is no inbound or outbound direction.99.0.17 is not allowed to contact any other host on its local subnet.99.168. Example 17-1 shows the commands necessary for this example.255 Switch(config-acl)# exit Switch(config)# vlan access-map block-17 10 Switch(config-access-map)# match ip address local-17 Switch(config-access-map)# action drop Switch(config-access-map)# vlan access-map block-17 20 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan filter block-17 vlan-list 99 Configuration SNMP (Cisco Switchs & Routers ) .0. suppose that you need to filter traffic within VLAN 99 so that host192.17 192. For example. The VLAN interface is the point where packets enter or leave a VLAN.Notice that the VACL is applied globally to one or more VLANs listed and not to a VLAN interface (SVI). the packet is dropped. Then a VLAN access map is defined: If the local-17 access list permits the IP address.168. so it does not make sense to apply a VACL there. Example 17-1 Filtering Traffic Within the Local Subnet Switch(config)# ip access-list extended local-17 Switch(config-acl)# permit ip host 192. Recall that VLANs can be present in a switch as explicit interfaces or as inherent Layer 2 entities. otherwise. Access list local-17 is created to identify traffic between this host and anything else on its local subnet.0 0.

In the case of the first command. the community string grants you access to SNMP.NOTE: A community string is like a password. .