65-37
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 5 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
VLAN ACLs (VACLs)
Note Security Manager does not support the creation or configuration of MAC ACLs (MACLs), which are
named ACLs that are sometimes used with VACLs to filter IPX, DECnet, AppleTalk, VINES, or XNS
traffic based on MAC addresses.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against
the VACL.
If you apply a VACL to a VLAN and you apply an ACL to a routed interface in that same VLAN, any
packet coming into the VLAN is first checked against the VACL. Then, if permitted, the packet is
checked against the input ACL before it reaches the routed interface.
When a packet is routed from one VLAN to another, it is first checked against the output ACL that is
applied to the routed interface. Then, if permitted, the packet is checked against any VACLs that are
configured for the destination VLAN.
If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default
action is deny.
VLAN Access Maps
Security Manager uses VLAN access maps to configure VACLs. Conceptually similar to a route map, a
VLAN access map is a container in which you place one or more statements (conditions that match an
action) and number them by their order of importance. A VLAN access map must also identify the
VLANs to which it is applied, contain the map name, and identify at least one VACL sequence.
A VACL sequence must have a sequence number and at least one action, and must match at least one
ACL.
Devices evaluate map statements in sequence and you can associate more than one VLAN access map
with any device chassis.
To manage a VACL, select a Catalyst device in Device View, then select Platform > VLAN Access
Lists. You use VLAN access maps to configure VACLs for IP traffic.
The following topics describe the actions you can perform when defining VACLs on Catalyst devices:
Creating or Editing VACLs, page 65-37
Deleting VACLs, page65-39
VLAN Access Lists Page, page 65-39
Related Topics
VLANs, page 65-25
VLAN Groups, page 65-31
Chapter 65, “Managing Cisco Catalyst Switches and Cisco 7600 Series Routers”
Creating or Editing VACLs
When you can create or edit a VACL, you must:
Name the VACL.
Define the VLANs to which the VACL applies.
Define a sequence map containing at least one VACL sequence.