VACL

This is very complex (like pulling teeth), prepare yourself for a LOT of info!

On an MLS Switch we have the TCAM that covers IP Routing, including Access-Control for Inter-VLAN communication (between VLANs / Subnets) at Layer 3, and for Access-Control for Intra-VLAN Communication (Between Hosts in the same VLAN / Subnet) we have VACLs or VLAN Access-Maps to configure for Access-Control!

It is VERY important to understand the difference between Inter-VLAN and Intra-VLAN!

This will be lab heavy to really demonstrate different approaches to configuring this, however this follow very closely to the theory of Route Map configuration, so if you are familiar with that / have taken your ROUTE exam you have a huge head start.

If you are interested in my Route Map configuration post, it can be viewed here:

Route Map Congifuration – https://loopedback.com/2017/05/19/policy-based-routing-local-policy-routing-and-route-map-configuration-and-explanation-review-for-exam-day/

In theory it is pretty straight forward once you have the commands down, there are 3 steps to making a VACL / VLAN access-map on your MLS Switch:

  • Create an extended IP Access-list (preferably with a name as demo’d)
  • Create a VLAN Access-Map Group to tie to the IP Access-List created
  • Apply the ACL to the MLS Switch to begin filtering traffic
  • (Do not forget to enable ‘ip routing’ in global configuration mode)

In fact, that should be just a good habit for exam day, if you cannot use “show run” just get on the CLI and issue ‘ip routing’ for good measure, if you can’t that may be the issue!

First I want to get IP Connectivity out of the way from Host A up front

Before we lab, we want to make sure Host A can communicate to all Hosts:

HostA#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
HostA#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostA#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostA#

Looks good, lets get into the weeds, we have a long way to go!

Explanation and Creation of a basic Extended IP Access-List for a VACL

When creating the Extended IP Access-List to be tied into your VACL, you will be PERMIT traffic from the Source Address (the Hosts to be restricted) to the Destination Address (the IP Addresses it is restricted from communicating with).

Do not concern yourself with the IP Access-List Implicit Deny on the end, the VACL will have whats called a “catch all clause” or sequence configured at the end to forward all non-specified traffic to restrict, and this will take precedence over the IP Access-List.

A real world note to make things easier on yourself, you will be making basically ACLs inside of ACLs, so I would keep the naming scheme similar to help get it correct!

Creating an Extended IP Access-List for a basic VACL demonstration (Step 1)

I will block Host A from communicating with Host C and Host D, by using 2 different methods of input in the IP Access-List:

SW1(config)#
SW1(config)#ip access-list extended Host2HostACL
SW1(config-ext-nacl)#permit ip 10.0.0.1 0.0.0.0 10.0.0.3 0.0.0.0
SW1(config-ext-nacl)#permit ip host 10.0.0.1 host 10.0.0.4
SW1(config-ext-nacl)#exit
SW1(config)#

Remember an All 0’s wildcard mask is a Host Address, otherwise you can just type ‘host’ in the ACL line, wanted to include that as an Extended ACL refresher.

So the ACL above if applied to an interface would perform the following:

  • Permit all traffic from Host A to Host C
  • Permit all traffic from Host A to Host D
  • Implicit Deny / Drop all other traffic that hits this ACL

That is exactly what we need for the VACL configuration to work!

***IMPORTANT NOTE: The traffic on the IP ACL is being PERMITTED, the VACL will take care of dropping the specified packets, and we’ll add the “catch all” to forward all other traffic on the VACL coming up here – But remember to PERMIT the traffic on the IP ACL!!!***

IT IS IMPORTANT TO NOTE THAT USING “PERMIT” ON THE ACL TELLS THE VACL ITS A MATCH, AND IF “DENY” IS USED, IT TELLS THE VACL IT IS NOT A MATCH AND THE VACL CONTINUES LOOKING FOR A MATCH UNTIL IT HITS THE DROP-ALL CLAUSE!***

Configuration of the VACL / VLAN Access-Map (Step 2)

This start in global configuration mode, and I’ll take it step by step:

SW1(config)#
SW1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-log Configure VACL logging
access-map Create vlan access-map or enter vlan access-map command mode
configuration vlan feature configuration mode
dot1q dot1q parameters
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN

SW1(config)#vlan access-map ?
WORD Vlan access map tag

SW1(config)#vlan access-map Host2HostACL_VACL
SW1(config-access-map)#

This drops us into VLAN access-map configuration mode, note that I just added “_VACL” to my IP ACL name, because it helps you (and others) understand the configuration.

Now to tie the IP Access-List to the VLAN access-map:

SW1(config-access-map)#?
Vlan access-map configuration commands:
action Take the action
default Set a command to its defaults
exit Exit from vlan access-map configuration mode
match Match values.
no Negate a command or set its defaults

SW1(config-access-map)#match ?
ip IP based match
mac MAC based match

SW1(config-access-map)#match ip ?
address Match IP address to access control.

SW1(config-access-map)#match ip add ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name

SW1(config-access-map)#match ip add Host2HostACL ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
<cr>

SW1(config-access-map)#match ip add Host2HostACL
SW1(config-access-map)#

You’ll notice the syntax is “match ip address …” then only allows for ACLs, I didn’t write the IOS image, so I am not sure where that came from (same deal with Route Maps).

So now the VACL is matching our IP ACL, we need to configure an “Action” :

SW1(config-access-map)#?
Vlan access-map configuration commands:
action Take the action
default Set a command to its defaults
exit Exit from vlan access-map configuration mode
match Match values.
no Negate a command or set its defaults

SW1(config-access-map)#action ?
drop Drop packets
forward Forward packets

SW1(config-access-map)#action drop ?
log Log dropped packets
<cr>

SW1(config-access-map)#action drop

When looking at all the options, the only things that really make sense are Match / Action, so we have matched our ACL and added an Action for it.

Time to step back and check out some verification of what we have configured!

How to view / verify the newly created vlan access-map:

SW1#sh vlan ?
access-log VACL Logging
access-map Vlan access-map
brief VTP all VLAN status in brief
dot1q Display dot1q parameters
filter VLAN filter information
group VLAN group(s) information
id VTP VLAN status by VLAN id
ifindex SNMP ifIndex
internal VLAN internal usage
mtu VLAN MTU information
name VTP VLAN status by VLAN name
private-vlan Private VLAN information
remote-span Remote SPAN VLANs
summary VLAN summary information
| Output modifiers
<cr>

SW1#sh vlan access-map ?
WORD Access-map name
| Output modifiers
<cr>

The VLAN Access-Map output reviewed

SW1#sh vlan access-map
Vlan access-map “Host2HostACL_VACL” 10
Match clauses:
ip address: Host2HostACL
Action:
drop
SW1#

Going from top to bottom of this output:

  • It shows the “VLAN Access-Map” name, and the sequence # (10)
  • Match “Clauses” segment, showing below it the IP ACL name it is matching on
  • Action taken: Drop

So right now this VACL is saying “Drop traffic that Matches the Clause criteria (the IP ACL), however what it doesn’t say, that exactly like an IP ACL there is an implicit “Deny Any Any” Clause at the end of a VACL!

Both VACLs and Route Maps run down the list of Sequence #’s like an ACL, and perform the configured Action, so it is the same logic put into a different configuration!

So we need to create a “catch all” Clause / Sequence to Allow all other Traffic

Also – To add VACLs between sequences, just add a # after the “vlan-mapping …” statement, such as “vlan access-map Host2HostACL_VACL 15” to put a sequence # between 10 and 20 (I am just using defaults here in this lab)

Now to configure the ABSOLUTELY NECESSARY catch all Clause:

SW1(config-access-map)#exit
SW1(config)#
SW1(config)#vlan access-map Host2HostACL_VACL
SW1(config-access-map)#?
Vlan access-map configuration commands:
action Take the action
default Set a command to its defaults
exit Exit from vlan access-map configuration mode
match Match values.
no Negate a command or set its defaults

SW1(config-access-map)#action ?
drop Drop packets
forward Forward packets

SW1(config-access-map)#action forward ?
<cr>

SW1(config-access-map)#action forward
SW1(config-access-map)#exit
SW1(config)#

This “Catch All” Clause does not require an IP ACL to match against, as if there is no match requirement, it just treats it as “All other traffic” and Forwards it.

Lets verify again that our basic VACL is complete, with a Catch-All Clause

Lets take a look at what we’ve got:

SW1(config)#do sh vlan access-map
Vlan access-map “Host2HostACL_VACL” 10
Match clauses:
ip address: Host2HostACL
Action:
drop
Vlan access-map “Host2HostACL_VACL” 20
Match clauses:
Action:
forward
SW1(config)#

The VACL will go down the list of Sequence #’s (Like an ACL), so it will first hit the Clause configured to Drop traffic, then it will hit its second Clause with no Match Clause defined so it allows the Action to be performed on All Other Traffic.

I have to say in configuring this, it is so gross, I am going to have nightmares about this.

Finally the simple part, applying the VACL to the MLS! (Step 3)

Starting to feel like the lab that never ends, or is that just me? 🙂

To apply the VACL you issue the following command in Global Config:

SW1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-log Configure VACL logging
access-map Create vlan access-map or enter vlan access-map command mode
configuration vlan feature configuration mode
dot1q dot1q parameters
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN

SW1(config)#vlan filter ?
WORD VLAN map name

SW1(config)#vlan filter Host2HostACL_VACL ?
vlan-list VLANs to apply filter to

SW1(config)#vlan filter Host2HostACL_VACL vlan-list ?
<1-4094> VLAN id
all Add this filter to all VLANs

SW1(config)#vlan filter Host2HostACL_VACL vlan-list 10 ?
, comma
– hyphen
<cr>

SW1(config)#vlan filter Host2HostACL_VACL vlan-list 10
SW1(config)#

OH MY GOSH, IS IT FINALLY OVER??? LETS TEST CONNECTIVITY!!!

Testing if this was configured correctly, please please work!

HostA#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
HostA#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#

SUCCESS!!!! FINALLY THE CONFIGURATION IS COMPLETE!!!

Just a bit more connectivity verification from Host C

Ping tests:

HostC#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostC#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostC#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostC#

It looks like Host A is restricted from replying to Host C, so our VACL works!

Believe it or not, we are going to take it one step further, sub-netting!

Now that we know the theory, I’ll run through a couple of quick scenarios to help you prepare for exam day, as it will not be as easy as Point A to Point B and you know it!

Hosts A, B, and C must be restricted from VLAN Access, but otherwise allowed to route its traffic out the Default Gateway of 10.0.0.100.

Configuring a subnet for VACL with Default Gateway Access

This requires you to first look at the Hosts IP addresses, I made it easy on myself and have .1-.3 to block, which can be covered by a /30 mask in my ACLs or 0.0.0.3.

First the two IP Extended ACL’s, we’ll see how they come into play:

SW1(config)#ip access-list extended Nets1
SW1(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.3 host 10.0.0.100
SW1(config-ext-nacl)#exit
SW1(config)#ip access-list extended Nets2
SW1(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.3 10.0.0.0 0.0.0.255
SW1(config-ext-nacl)#exit
SW1(config)#

Remember we need separate lists to “Match Clause” on different Sequences.

Configuring the VLAN Access-MAP:

SW1(config)#
SW1(config)#vlan access-map Nets_VACL
SW1(config-access-map)#match ip add Nets1
SW1(config-access-map)#action forward
SW1(config-access-map)#exit
SW1(config)#vlan access-map Nets_VACL
SW1(config-access-map)#match ip add Nets2
SW1(config-access-map)#action drop
SW1(config-access-map)#exit
SW1(config)#vlan access-map Nets_VACL
SW1(config-access-map)#action forward
SW1(config-access-map)#exit
SW1(config)#

Verify the VLAN Access-Map

SW1#sh vlan access-map
Vlan access-map “Nets_VACL” 10
Match clauses:
ip address: Nets1
Action:
forward
Vlan access-map “Nets_VACL” 20
Match clauses:
ip address: Nets2
Action:
drop
Vlan access-map “Nets_VACL” 30
Match clauses:
Action:
forward
SW1#

So logic tells me it should allow traffic for the Hosts to reach the Default Gateway, drop all traffic destined for the subnet it is part of, and the “Catch All” Clause.

Applying the VACL, and testing if the logic works!

SW1(config)#vlan filter Nets_VACL vlan-list 10
SW1(config)#
ASR#2
[Resuming connection 2 to r1 … ]

HostA#ping 10.0.0.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
HostA#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
…..

Missing accomplished, however after some testing I found that VACLs are ONLY FOR INTRA-VLAN traffic, and that TCAM is needed to configure Layer 3 Access Control for Inter-VLAN Access-Control.

So it was a good idea, and could be applied say if you only want your PC’s to reach a single Server on the VLAN and THATS it – So the theory can still be applied to other scenarios outside of Internet Access!

WHAT HAPPENS WHEN A CATCH ALL SEQUENCE IS NOT ADDED TO THE VACL!

I haven’t picked on Host B so I will prevent that from talking to any device on its VLAN, however I am not going to put the Sequence 20 “Action Forward” to see what happens.

Quick config and apply the VACL:

SW1(config)#ip access-list extended IsolateHostB
SW1(config-ext-nacl)#permit ip host 10.0.0.2 10.0.0.0 0.0.0.255
SW1(config-ext-nacl)#permit ip any any

SW1(config-ext-nacl)#exit
SW1(config)#vlan access-map IsolateHostB_VACL
SW1(config-access-map)#match ip add IsolateHostB
SW1(config-access-map)#action drop
SW1(config-access-map)#exit
SW1(config)#vlan filter IsolateHostB_VACL vlan-list 10
SW1(config)#

So I’ve added the “Permit IP Any Any” on the ACL just to see if that helps at all, lets test from some Hosts!

Host B (With an interesting test result):

HostB#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
HostB#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostB#

I thought it was interesting to note that the VACL will not stop the Host from pinging itself, I didn’t entirely think it would, but its good to know for exam day.

So lets see how Host A likes this VACL:

HostA#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#ping 10.0.0.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#

This will literally drop all packets on your VLAN as seen here, with VACLs or Route Maps, it is just absolutely necessary to allow your network to route traffic properly!

A couple of gotchas for exam day for SWITCH and TSHOOT – IMPORTANT!

Both the IP ACL written for the VACL can be applied across a topology, for example a VACL could be applied to one VLAN on the Switch, while the same IP ACL can be applied to the Inbound / Outbound flow of to a Host!

So because the IP ACL is tied to the VACL, it can also be used on IP Interfaces as well, which may not allow return traffic unless the IP ACL (made for the VACL) allows it.

This is trickery at its finest, don’t let it catch you on exam day!

That wraps up my look at this subject, and I am so glad to have labbed this fully!

Again, I highly encourage you to view Route Map configuration here even if ROUTE isn’t coming up for months, as it will give you a head start on understanding the logic!

If you hung in there for all that, I commend you, that topic got so much deeper into explanation during configuration than I thought – See you on the next fun topic! 🙂