02-14-2017 05:47 PM - edited 03-08-2019 09:20 AM
I am looking to employ VACL functionality on some 2960Xs to filter intra-VLAN traffic. In reading through the 2960X configuration document for 15.0(2)E, it says, "On switches running the LAN Base feature set, VLAN maps are not supported."
This doesn't make sense to me as VLAN Maps are a L2 function, and the only more robust feature set includes upgrading switch hardware to support IP Lite. The ASICs on a LAN Base device support a L2 ACL applied directly to an interface (which in effect does the same thing as a VACL I believe), so I'm just curious if anyone knows if this Cisco document is indeed accurate, or if they meant to say VLAN maps aren't supported within the LAN Lite feature set. The devices I have are in a secure environment, so I unfortunately don't have the ability to test before deployment..
Thanks in advance!
02-14-2017 07:19 PM
Hi
It could be verified using this tool.
http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp
VACL are used to filter traffic for specific vlan(s), using maps with sequence and an action is applied to them. The traffic must be allowed on both ways in order to get it work. Take in consideration that using VACL could increase the CPU utilization on your device.
In order to verify if your device is able to run VACL try to execute this command
conf t
vlan access-map
or
vlan filter TEST VLan-list
Hope it is useful
:-)
02-14-2017 07:21 PM
Hi Julio,
Shouldn't a VACL employ it's policy by using the ASIC and therefore not cause any CPU spikes?
Getting access to the devices to run those commands is quite difficult and requires jumping through quite a few hoops - but I'll try.
Thanks.
02-14-2017 07:26 PM
Hi
Yeap, Actually I have configured VACL that includes a lot of ACL's with object-groups.
:-)
02-20-2017 10:34 AM
Julio, thanks for verifying.
I was able to put a VACL/VLAN Map in place and verify functionality on 4 2960Xs utilizing the LAN Base code over the weekend - so it appears this documentation is wrong.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide