Cisco Guest Blog

Check out my guestblog @ Cisco: http://blogs.cisco.com/perspectives/dmz-basics

 

Advertisements

Port Access-Lists (PACL)

A while ago I blogged about VACL or Vlan Access-Lists. PACL and VACL are really connected to each other. In this blogpost I will show you how PACL works and how to configure it on a Cisco switch.

First of all, what is PACL. PACL makes it possible to filter incoming traffic on a layer 2 interface using layer 3 or 4 information.

First some restrictions on PACL

  • There can only be one ACL applied to a layer 2 interface per direction
  • PACL don’t filter later 2 traffic like CDP, VTP, DTP, UDLD and STP because this traffic is handled by the Route Processor before the applied ACL takes effect
  • The number of ACL’s that can be configured as part of the PACL configuration is bounded by the hardware resources of the switch
  • A MAC ACL is not applied to IP, MPLS or ARP messages
  • Only named MAC ACL can be used

I spoke earlier about the interaction between PACL and VACL. When they are both used on the switch and the traffic is bridged, PACL will always be applied before VACL’s. PACL will even override a “normal” ACL that is applied to the same interface (for this situation is only one exception, if packets are forewarded in software by the RP. If this is true an ” normal” ACL will take precedence over the PACL). Summarizing the above:

  • PACL for the ingress port
  • VACL for the egress vlan
  • VACL vfor the egress vlan

Below a schematic of this.

*PACL_bridged

It’s fairly easy to configure this, below an example of my lab and how to configure this:

topology

PACL_portconfig

PACL_acl

 

It’s a little different when the traffic is routed. The next is true for routed packets:

  • PACL for the ingress port
  • VACL for the ingress vlan
  • Input Cisco IOS ACL
  • Output Cisco IOS ACL
  • VACL for the egress vlan

Below a schematic of the above:

*PACL_routed

 

PACL can come in handy when you want to deny access of a PC/Server to another PC/Server in the same vlan and you can’t change the vlan of the machines.

 

More information on this topic can be found on the Cisco site (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/port_acls.pdf).
*=I found the used schematics on the Cisco site and borrowed them!

VLAN Access Control Lists

A customer asked me if it is possible to block ping (or icmp) from host 1 to host 2 in the same vlan.
Yes this is possible, if you use a so called VLAN Access Control List or VACL.

It’s fairly easy to configure. First of all, create a vlan:
!
conf t
!
vlan 100
name Test
!

Then create a SVI (this is not mandatory):
!
conf t
!
int vlan 100
ip address 10.0.0.254 255.255.255.0
no shut
!

Create an extended access list in which you permit the traffic you want to drop:
!
conf t
!
ip access-list extended VACL_test
permit icmp host 10.0.0.1 host 10.0.0.2
!

Create the access-map:
!
conf t
!
vlan access-map VACL_no_icmp
action drop
match ip address VACL_test // this points to the access list created earlier
vlan access-map VACL_no_icmp
action forward // this permits all other traffic
!

Now connect the access-map to the vlan:
!
conf t
!
vlan filter VACL_no_icmp vlan-list 100
!

Try pinging from host A to host B and you will see it isn’t possible. Try pinging your default gateway and you will see this is possible.
With other words, the VACL is functioning as intended.