Understanding VACLs
VACL Overview
VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into
or out of a VLAN or a WAN interface for VACL capture. Unlike regular Cisco IOS standard or extended
ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to
all packets and can be applied to any VLAN or WAN interface. VACLS are processed in hardware. VACLs
use Cisco IOS ACLs. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware.
You can configure VACLs for IP, IPX, and MAC-Layer traffic. VACLs applied to WAN interfaces
support only IP traffic for VACL capture.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against
this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet
coming in to the VLAN is first checked against the VACL and, if permitted, is then checked against the
input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it
is first checked against the output ACL applied to the routed interface and, if permitted, the VACL
configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet
of that type does not match the VACL, the default action is deny.
Note
•
•
•
•
Bridged Packets
Figure 35-1
Figure 35-1 Applying VACLs on Bridged Packets
Host A
(VLAN 10)
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
35-2
TCP Intercepts and Reflexive ACLs take precedence over a VACL action if these are configured on
the same interface.
VACLs and CBAC cannot be configured on the same interface.
IGMP packets are not checked against VACLs.
When VACL capture is configured with Policy Based Routing (PBR) on the same interface, do not
select BDD as the ACL merge algorithm. We recommend using ODM, the default ACL merge
algorithm for the Supervisor Engine 720.
shows a VACL applied on bridged packets.
VACL
Supervisor Engine
Bridged
MSFC
Chapter 35
Configuring VLAN ACLs
Host B
(VLAN 20)
OL-4266-08