Cisco CCNP SWITCH 642-813

Campus Security: VACLs

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

00:00:00 - We've come to this nugget, with one objective in mind: and that
00:00:04 - is to understand this concept of VACLs. Now everybody love's
00:00:09 - Access List. I know some of you are like: "Well, I don't love
00:00:12 - Access List". Well, the more you are in Cisco, the more you are
00:00:15 - like, "well, they are kind of fun, they are pretty cool", "kind
00:00:18 - of bend your mind a little bit in logic and all that kind of
00:00:20 - stuff". Cisco found a way to take an access list and apply it
00:00:24 - to a VLAN, and they called it a VACL. Now, if
00:00:28 - I were putting together a Cisco Certification Program for Switching,
00:00:32 - me Jeremy Char, personally was doing it, I would have probably
00:00:36 - left VACLs off. Simply because it is one of those concepts that
00:00:40 - you are going to see, you are going to look at it, and be like:
00:00:42 - "Ok, it is kind of cool, but I am not too sure where I would
00:00:45 - use that". And I would say, I have actually learned, and relearned,
00:00:51 - and relearned VACLs many many times, and it is primarily to study
00:00:54 - for a Certification Exam, just because when you get to the real
00:00:57 - world, it is not something I have seen used very often. I am
00:01:00 - not saying you would not be able to find a situation where you
00:01:03 - would use it, it is just not something I have seen been done
00:01:06 - very often. So with all that being said, I did not write the
00:01:10 - Cisco Certification Program, and someone else did, so they have
00:01:12 - decided to add VACLs, and they even went a step further...and
00:01:15 - as a matter of fact, if I just grab my pen here...They also added
00:01:18 - something on there called
00:01:21 - PACLs. You might have said, "This is just getting silly". It
00:01:24 - kind of is. It is P-A-C- L. It actually stands for Port Access
00:01:29 - Control List. What it is, it is simply applying an Access List,
00:01:34 - whether be a MAC Address Access List, or an IP Access List, to
00:01:38 - a layer two switch board. Which previously was not possible,
00:01:41 - and in the old days before multi-layer switching came about.
00:01:45 - So I though the best way to talk about VACLs and PACLs would
00:01:51 - just be to talk about them through a demonstration to show them
00:01:54 - to you. Here is the idea; A VACLs filters the entire VLAN landscape.
00:02:00 - So let's say we got this switch right here, and I just came up
00:02:03 - with a simple scenario, it got two VLANs: 10 and 30. And now
00:02:06 - I want to set it up in such a way that, VLAN 10 only allows
00:02:13 - the
00:02:15 - subnet. That means that if anybody plugs in...let's say for example,
00:02:19 - this guy right here plugs into the network on VLAN 10, "click"
00:02:21 - the network cable attaches, and he has the statically assigned
00:02:26 - address
00:02:30 - As soon as he tries to get into that VLAN, essentially the network
00:02:33 - landscape, he will be blocked, denied and restricted by this
00:02:36 - VACL that has been applied. That's the idea of VACLs, is that
00:02:40 - they apply to that entire landscape. I said, it is typically
00:02:43 - found in larger environments, some because it originated as a
00:02:47 - feature of the 6500 Switch. Now, the 6500 has the capability
00:02:53 - that my little 3550 here does not have. And that is the ability
00:02:57 - to use a VACL to redirect traffic. Now this would be a good use
00:03:02 - for it. In my opinion, it is probably the more popular use for
00:03:05 - it. Essentially you can go in, and create a VACL, in the same
00:03:10 - way right here, that says: "I want to match this subnet on VLAN
00:03:15 - 10, and I want to redirect that traffic to, we'll say, an IPS
00:03:20 - Sensor, and IDS Blade that allows you to sort through, and filter
00:03:25 - all that traffic through your security parameters. In this example,
00:03:28 - your VACL could even grab, you know, all traffic and just redirected
00:03:31 - it, filter out to an IPS Sensor, or maybe you have a DMZ VLAN,
00:03:35 - or something like that, you might want to do that, it's always
00:03:37 - very handy. The lower level switches, like my 3550, only allows
00:03:42 - you to use a VACL to permit and deny. Which again, is kind of
00:03:45 - cool, it is a neat feature, so let's talk about, let's work through
00:03:50 - this example. (Just let me get rid of all my gibberish here). Here
00:03:54 - is how it works: I am going to go Switch A, and literally create
00:03:58 - 2 VLANs. Let me bring my screen here. So we got the Switch.
00:04:03 - Go to Global Config. Mode, and I am going to do VLAN 10 and VLAN
00:04:09 - 30. Show VLAN.
00:04:13 - So we go, and we got a couple of them that were hanging out in
00:04:16 - the VLAN database, but VLAN 10 and VLAN 30 are definitely in
00:04:19 - there. So they are now created. And the scenario that we are
00:04:23 - working through says: "Ok, we've got clients on VLAN 10, and
00:04:26 - they should be restricted to the 10.1, 10.0. So no other IP address
00:04:30 - should be able to use on that subnet, or on that VLAN, other
00:04:34 - than this specific subnet. Same thing for VLAN 30, you got the
00:04:37 - subnet right here. Now, the way VACLs work are very similar to
00:04:43 - Route Maps. If you deal with Route Maps before on Routers, or
00:04:47 - you could even go on layer-three switch, they kind of a little
00:04:52 - programming language where you have sequence numbers. I always
00:04:54 - compare them to basic programming and an old commodore amigo computer
00:04:57 - but, you can have Line 10, Line 20, Line 30, kind of process
00:05:01 - through an order, one by one. So let me how I would have accomplished
00:05:05 - this scenario right here. Go
00:05:07 - to Global Config. Mode, first thing I would do is: Create a couple
00:05:11 - of Access Lists, to match these parameters. So I would say, VLAN
00:05:16 - 10, is going to match, so I am going to use, access-list;
00:05:23 - one; permit;;
00:05:28 - this is my master mask. Done. Very simple Access List, and is
00:05:32 - only filtering based on the source, because that's what the scenario
00:05:37 - requires. That only these sources should be allowed on that subnet.
00:05:41 - Now you can use an extended Access List with VACLs, that's not
00:05:44 - a problem, you can even use a Mac Address Access List. For example,
00:05:47 - I can go in here, and say...Mac,
00:05:51 - Access List...then we'll just say, this is an extended Access
00:05:56 - List; then I'll say the name of this is...we'll
00:06:00 - say Server.
00:06:03 - Now I can go underneath that, and use a Permit setting; Permit,
00:06:06 - we'll say "Any source Mac Address to access the destination 111"...well,
00:06:12 - actually I don't want to use a wildcard, so I'll put Host,
00:06:14 - 1111.1111.2222. Ok, so that's the Server. And that would
00:06:18 - be creating a Mac Address Access List, so I can say; this VLAN
00:06:22 - will only allow people to access that one destination Mac Address.
00:06:26 - Now again, you are probably looking at it, just like I am right
00:06:28 - now, and going "Wow, that's pretty cool! SO you are saying Jeremy,
00:06:31 - that I could create a VACL that only allows people to access
00:06:34 - one Mac Address?" Again, pretty neat. But again, unfortunately,
00:06:38 - I know...well, I don't know but I would assume that if you are
00:06:41 - like me, and get done with this nugget, and be like "Ok, I am
00:06:44 - ready for the exam", or for whatever you are going to apply this
00:06:47 - knowledge to, but then a couple of weeks after the exam, you
00:06:50 - will have forgotten, because, again, I haven't found a great
00:06:54 - use for this, where I am like "Oh, VACLS are so so amazing! That's
00:06:59 - kind of a buzz killer; I should come up with a great
00:07:03 - story. Well, it's too late. I've never used it in production,
00:07:07 - I'm just being honest. So, let's get back to our scenario.
00:07:13 - So, let me now go back to my #do show access list-1.
00:07:19 - So there's my 2 access lists. I need to create one more access
00:07:22 - list, we'll say #access-list
00:07:26 - 2 permit
00:07:31 - Now I have my two access lists, one for each VLAN.
00:07:38 - So here's where the VACL comes in, and I will say that the syntax
00:07:40 - is not...I mean, once you use it for a while, it's ok, but it's
00:07:44 - not friendly to start with. You actually create something called
00:07:48 - a VLAN access map. So I'm going to type in #vlan access-map.
00:07:54 - Now again, if you've dealt with route maps, think exactly that
00:07:57 - same thing. When I do access map, it's going to ask me for a
00:08:00 - name, and I will say this is DEMO, we'll just name it, a case
00:08:04 - sensitive name, would you need that? And I will say here's my
00:08:09 - sequence number. So, I'll just start with sequence number 10,
00:08:12 - which if I just hit into it, would just be the default. And just
00:08:16 - like a route map, I'm going to have my match in action statements.
00:08:19 - So instead of match in set, if you've dealt with route maps,
00:08:22 - we have match and then action. What do you want to do with it? So,
00:08:25 - I'll say #match ip address
00:08:29 - and we'll say that this is match access list 1. This would be
00:08:33 - for VLAN...10...actually,
00:08:38 - I should have named this differently, but you've got the concept.
00:08:41 - We've got VLAN 10, so I'm going to say #match access list 1,
00:08:44 - which is the ip address in VLAN 10, and the action will be forward
00:08:52 - (#action forward). You're catching that? Now what's that doing?
00:08:55 - Let me go back here and just do a show run slash include.
00:09:01 - Let's just do begin with
00:09:04 - (#show run begin | vlan access-map).
00:09:11 - So right there we've got our VLAN access-map DEMO 10 that says
00:09:15 - if it matches the ip address. The source address is to find an
00:09:21 - access to this one, which we know are the 10.1.10. subnet. Then
00:09:26 - go ahead and forward it. So, I can then go, this is not necessary,
00:09:29 - because if you don't permit something, it will by default be
00:09:32 - denied. But just to show you how much like route map these are... I'm
00:09:35 - going to add another sequence number, we'll say DEMO 20. And
00:09:38 - I'll just say #action drop. You might say "What
00:09:45 - did that match?", as you don't have any match statement. Remember,
00:09:49 - it's just like a route map, if there's no match statement, then
00:09:52 - it's going to match everything. So again, walking through this
00:09:54 - demo access map, says sequence number 10 if it's these guys for
00:09:59 - them. However, if you're anything else, meaning that there's
00:10:02 - no match statement, then you will be dropped. So, once this is
00:10:07 - done, it's just like creating a route map, it doesn't take a
00:10:09 - fact until you apply it somewhere. So when you go back to the
00:10:13 - global config mode, I'm going to apply using the VLAN filter
00:10:17 - command. So, say #vlan filter and you'll say "What is the VLAN
00:10:21 - map name?" and I'll say the map name is DEMO. I'm going to apply
00:10:25 - that to the VLAN list, and that's where I can put my VLANs in.
00:10:29 - So this is just for VLAN list 10. But you can see that we can
00:10:32 - put in multiple VLANs, like VLANs 10 through 20, or VLAN 10 comma
00:10:37 - 30, comma 90. Those kind of things, it's totally fair game to
00:10:41 - apply it to anything or all VLANs. Now we'll allow filter VLAN
00:10:45 - 10. Now what about VLAN 30? Same kind of thing. We've already
00:10:50 - got the access list
00:10:54 - created forward, access list number 2.
00:10:57 - So I will create another access map, I'll say #vlan access-map
00:11:02 - and I'll just call this one DEMO1
00:11:05 - and we'll use sequence number 10. Same kind of thing. #match
00:11:09 - ip address 2 #action
00:11:12 - forward #exit Let's just add sequence 20. And I'll say #action
00:11:18 - drop. If you're looking for a nice concise demo of all of those
00:11:23 - things put together, I can then go on and say #vlan filter
00:11:28 - DEMO1. It's going to be the name of the access map. The VLAN
00:11:32 - I'm going to apply to is VLAN 30. Enter, done. So that's allowing
00:11:39 - you to apply
00:11:40 - access list to an entire VLAN landscape and filter these specific
00:11:47 - subnets to be allowed on those. Now again, this is just a very
00:11:51 - simple demonstration, so that you can see VACLs, see how they're
00:11:54 - used, but keep in mind that you can use extended access lists,
00:11:59 - you can use MAC address accesses, you can combine them all together
00:12:01 - with an access map. So there's all kinds of different ways that
00:12:05 - this can be applied, that just being one of them. Now while we're
00:12:10 - all here, I don't have a scenario for it, because it's very simple.
00:12:13 - I want also to add one more piece on the good old PACLs. Remember,
00:12:17 - I was saying we have VACLs, which is an access list applied to
00:12:20 - a VLAN, and we have PACLs, which is really just an access list
00:12:25 - applied to a port. Now the reason they came out with the specific
00:12:28 - name PACL and they didn't just call it an ACL, is because this
00:12:33 - is applying an ACL 2 layer 2 port. Now, if this is a layer 3
00:12:38 - port, you know, you get there by going the no switch port command,
00:12:43 - and you're applying an access list to it, it's not called a PACL,
00:12:47 - it's just an AXL, an access list, it's an ACL. Around an access
00:12:50 - list, it's applied to a layer 3 interface. But once it's a layer
00:12:53 - 2 interface, you can apply a PACL. Now the catch is PACLs, it's
00:12:57 - fun to say. It can only be applied inbound, in one direction.
00:13:02 - That's how they have the logic of the A 6 of the switch. So,
00:13:07 - I'm going to go into my switch and again, I'm not going to go
00:13:09 - through everything, because you just create an access list. It
00:13:12 - could be a standard one, it could be an extended access list,
00:13:15 - it could be a MAC address access list. You wander whatever interface
00:13:19 - you want and it's just like a router. If I want to apply an access
00:13:25 - list, how do you do it on a router? #ip access-group 1 in You
00:13:31 - can see inbound PACLs, so that doesn't give you the option for
00:13:35 - out. And it's saying "conflict with your vlan filters" that you've
00:13:38 - applied. So, it's giving me no worries, but that's now considered
00:13:44 - a PACL because it's applied there. Now if I wanted to apply a
00:13:46 - MAC address access list, I could just use #mac access-group
00:13:52 - and then you would type in the ACL name like I've created before
00:13:56 - and apply that inbound as well. Now you're filtering it based
00:13:59 - on the MAC address of the server. So, again, multiple ways that
00:14:04 - you can apply ACLs on layer 3 switches, VACLs to the entire landscape
00:14:08 - and PACLs to the port.
00:14:11 - I hate it when I do that. I summarized on a non-summary slide.
00:14:15 - So when I get to the summary slide, I think "Well, what do I
00:14:18 - say now?
00:14:20 - Look at that house. Isn't it neat?" I hope this has been informative
00:14:25 - to you and I'd like to thank you for viewing.

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Premium Features

Transcender® Practice Exams

These practice tests help you review your knowledge and prepare you for exams.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS