Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
0
Helpful
4
Replies

VACLs really not supported on 2960X LAN Base?

Phillip Simonds
Level 1
Level 1

‎02-14-2017 05:47 PM - edited ‎03-08-2019 09:20 AM

I am looking to employ VACL functionality on some 2960Xs to filter intra-VLAN traffic. In reading through the 2960X configuration document for 15.0(2)E, it says, "On switches running the LAN Base feature set, VLAN maps are not supported." 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01011.html

This doesn't make sense to me as VLAN Maps are a L2 function, and the only more robust feature set includes upgrading switch hardware to support IP Lite. The ASICs on a LAN Base device support a L2 ACL applied directly to an interface (which in effect does the same thing as a VACL I believe), so I'm just curious if anyone knows if this Cisco document is indeed accurate, or if they meant to say VLAN maps aren't supported within the LAN Lite feature set. The devices I have are in a secure environment, so I unfortunately don't have the ability to test before deployment..

Thanks in advance!

Labels:
0 Helpful
4 Replies 4

Julio E. Moisa
VIP
VIP

‎02-14-2017 07:19 PM

Hi 

It could be verified using this tool.

http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp

VACL are used to filter traffic for specific vlan(s), using maps with sequence and an action is applied to them. The traffic must be allowed on both ways in order to get it work. Take in consideration that using VACL could increase the CPU utilization on your device. 

In order to verify if your device is able to run VACL try to execute this command

conf t

vlan access-map

or 

vlan filter TEST VLan-list

Hope it is useful 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Phillip Simonds
Level 1
Level 1
In response to Julio E. Moisa

‎02-14-2017 07:21 PM

Hi Julio,

Shouldn't a VACL employ it's policy by using the ASIC and therefore not cause any CPU spikes?

Getting access to the devices to run those commands is quite difficult and requires jumping through quite a few hoops - but I'll try.

Thanks.

0 Helpful

Julio E. Moisa
VIP
VIP
In response to Phillip Simonds

‎02-14-2017 07:26 PM

Hi

Yeap, Actually I have configured VACL that includes a lot of ACL's with object-groups. 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Phillip Simonds
Level 1
Level 1
In response to Julio E. Moisa

‎02-20-2017 10:34 AM

Julio, thanks for verifying.

I was able to put a VACL/VLAN Map in place and verify functionality on 4 2960Xs utilizing the LAN Base code over the weekend - so it appears this documentation is wrong.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card