How to Configure & Verify VLAN ACLs in NX-OS

By | December 8, 2013

A VLAN ACL (VACL) is one application of a MAC ACL or IP ACL. You can configure VACLs to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction (ingress or egress).

VACLs use access maps to contain an ordered list of one or more map entries. Each map entry associates IP or MAC ACLs to an action. Each entry has a sequence number, which allows you to control the precedence of entries. When the device applies a VACL to a packet, it applies the action that is configured in the first access map entry that contains an ACL that permits the packet.

Each VLAN access map entry can specify one of the following actions:

  • Forward—Sends the traffic to the destination determined by normal operation of the switch.
  •  Redirect—Redirects the traffic to one or more specified interfaces.
  •  Drop—Drops the traffic. If you specify drop as the action, you can also specify that the device logs the dropped packets.

In access map configuration mode, you use the action command to specify the action for a map entry.

Use Seven Commands to Configure the VLAN ACLs

Step 1

switch# config t

Step 2

switch(config)# vlan access-map acl-mac-map

Step 3

switch(config-access-map)# match ip address acl-ip-lab

switch(config-access-map)# match mac address acl-mac-01

Step 4

switch(config-access-map)# action forward

Step 5

switch(config-access-map)# statistics per-entry

Step 6

switch(config-access-map)# show running-config aclmgr

Step 7

switch(config-access-map)# copy running-config startup-config

Applying a VACL to a VLAN

switch# config t

Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL.

switch(config)# vlan filter acl-mac-map vlan-list 1-20,26-30

switch(config)# show running-config aclmgr

switch(config)# copy running-config startup-config

Display VACL configuration information, use one of the following commands:

show running-config aclmgr

Displays the ACL configuration, including VACL-related configuration

show vlan filter

Displays information about VACLs that are applied to a VLAN.

show vlan access-map

Displays information about VLAN access maps.