Configuring VACLs
All in all, VACLs offer all the advantages of extended ACLs on a router with none of the penalties. To get a better understanding of VACLs and VACL configuration, take a look at the following scenario:
Company ILB has determined that the new security policy for all access devices is to be implemented at the access level using Catalyst 6006s with PFCs in the wiring closets. The new policy dictates that access devices in the closet should only be able to ping the router but not communicate directly with the router using IP packets in any other way (for example, telnet, TFTP). Also, no user should be able to communicate directly with any other user in the subnet. Furthermore, management decided that no device should be allowed to issue and ICMP echo request to any other devices in any network.
In an effort to accomplish this policy, a VACL named accesspolicy has been created as a test policy for VLAN 101. The router for VLAN 1 is 172.16.101.1 and the subnet is 172.16.101.0/24. The following set of commands define this policy:
Cat6K (enable) set security acl ip accesspolicy permit icmp any host172.16.101.1 accesspolicy editbuffer modified. Use 'commit' command to apply changes. Cat6K (enable) set security acl ip accesspolicy deny ip 172.16.101.0 0.0.0.255
By showing the security ACL information, we note at this point in time, no ACLs have been defined:
Cat6K (enable) show sec acl info all No ACLs have been defined yet.
Currently, the list exists only in what is known as the editbuffer, a portion of volatile memory, in the switch. We must commit these changes in the editbuffer to the VACL ASIC with the commit command, but before we do this, we might want to review the contents of the editbuffer with the following commands:
Cat6K (enable) show sec acl editbuffer info all ACL Type Status -------------------------------- ---- ------------------- accesspolicy IP Not Committed Cat6K (enable) show security acl info accesspolicy editbuffer set security acl ip accesspolicy --------------------------------------------------- 1. permit icmp any host 172.16.101.1 2. deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255 3. deny icmp any any echo 4. permit ip any any ACL accesspolicy Status: Not Committed
Now that we are satisfied with the VACL, it needs to be committed to the TCAM:
Cat6K (enable) commit security acl accesspolicy ACL commit in progress. ACL 'accesspolicy' successfully committed.
Finally, the policy needs to be mapped to the VLAN for which it will be applied:
Cat6K (enable) set security acl map accesspolicy 101 Mapping in progress. ACL accesspolicy successfully mapped to VLAN 101.
To verify the list or the mappings, use the following show commands:
Cat6K (enable) show security acl info accesspolicy set security acl ip accesspolicy --------------------------------------------------- 1. permit icmp any host 172.16.101.1 2. deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255 3. deny icmp any any echo 4. permit ip any any Cat6K (enable) show security acl ACL Type VLANS -------------------------------- ---- ----- accesspolicy IP 101 or Cat6K (enable) show security acl map accesspolicy ACL accesspolicy is mapped to VLANs: 101