Cisco Nexus VACL and Remote Management Configuration Guide
Welcome to the final part of the Cisco Nexus NX-OS configuration series.
This guide combines:
- Part 10 - VLAN Access Maps (VACLs)
- Part 11 - Remote Management using Telnet and SSH
This is one of the most important security sections in enterprise and data center switching because VLAN Access Maps provide highly granular filtering inside VLANs.
Previous Parts
- Part 1 - Cisco Nexus VLAN and Trunk Configuration
- Part 2 - Cisco Nexus Static Port-Channel Configuration
- Part 3 - Cisco Nexus LACP Configuration
- Part 4 - Cisco Nexus SVI and Port Security
- Part 5 - Cisco Nexus Security Configuration
Table of Contents
- 1. Understanding VACLs
- 2. Block IGMP Traffic in VLAN 10
- 3. Block TFTP Traffic in VLAN 20
- 4. Block Malicious MAC Address
- 5. Configure VLAN Access Maps
- 6. Apply VLAN Filters
- 7. Verification Commands
- 8. Configure Remote Management
- 9. Networking Mathematics
- 10. Modern Security Best Practices
- 11. Troubleshooting
- 12. Related Articles
1. Understanding VACLs
VACL stands for:
VLAN Access Control List
Unlike standard ACLs:
- RACLs filter routed traffic
- PACLs filter port traffic
- VACLs filter traffic inside VLANs
Why VACLs Matter
VACLs allow security policies inside the same broadcast domain.
This is extremely important in:
- Data centers
- Multi-tenant environments
- Campus security
- East-West traffic filtering
Traffic Flow Logic
Traditional VLAN communication:
\[ Host_A \leftrightarrow Host_B \]
No filtering inside VLAN.
With VACL:
\[ Traffic \rightarrow VACL \rightarrow Permit/Drop \]
2. Block IGMP Traffic in VLAN 10
IGMP stands for:
Internet Group Management Protocol
It is used for multicast group management.
The task requires:
\[ Deny\ IGMP\ in\ VLAN\ 10 \]
Create ACL for IGMP Matching
configure terminal
ip access-list VACL-10
permit igmp any any
end
Important Concept
Inside VACLs:
- ACL defines matching traffic
- VACL defines action
So:
permit igmp any any
does NOT mean traffic is allowed.
It means:
"Match IGMP traffic"
3. Block TFTP Traffic in VLAN 20
TFTP uses:
\[ UDP\ Port\ 69 \]
TFTP is considered insecure because:
- No authentication
- No encryption
- Easy file interception
Create ACL for TFTP Matching
configure terminal
ip access-list VACL-20
permit udp any any eq 69
end
TFTP Port Mathematics
TFTP:
\[ UDP = 69 \]
Traffic matching:
\[ Destination\ Port = 69 \]
will be filtered by the VACL.
4. Block Malicious MAC Address
The attacking MAC address:
\[ 0001.0012.2222 \]
must be blocked from accessing any device in VLAN 10.
MAC ACL Configuration
configure terminal
mac access-list MAC-VACL-10
permit 0001.0012.2222 0000.0000.0000 any
end
Important Correction
The original task used:
Permit 0001.0012.2222 0.0.0 any
Correct Nexus wildcard format:
0000.0000.0000
5. Configure VLAN Access Maps
Now we create:
- VLAN10 VACL
- VLAN20 VACL
Step 1 — Permit Normal IP Traffic
configure terminal
ip access-list IP-PERMIT
permit ip any any
end
Step 2 — VLAN 10 Access Map
configure terminal
vlan access-map VLAN10 10
match ip address VACL-10
action drop
vlan access-map VLAN10 20
match mac address MAC-VACL-10
action drop
vlan access-map VLAN10 100
match ip address IP-PERMIT
action forward
end
Step 3 — VLAN 20 Access Map
configure terminal
vlan access-map VLAN20 10
match ip address VACL-20
action drop
vlan access-map VLAN20 100
match ip address IP-PERMIT
action forward
end
VACL Processing Logic
Sequence:
\[ Seq\ 10 \rightarrow Seq\ 20 \rightarrow Seq\ 100 \]
If match found:
\[ Action = Drop \]
Otherwise:
\[ Action = Forward \]
6. Apply VLAN Filters
VACLs become active only after applying them to VLANs.
Apply VLAN Filters
configure terminal
vlan filter VLAN10 vlan-list 10
vlan filter VLAN20 vlan-list 20
end
Traffic Flow Visualization
Click to Expand Traffic Flow
Host ---> VLAN 10 ---> VACL Evaluation IGMP? ----------------> DROP MAC 0001.0012.2222 ? -> DROP Everything Else ------> FORWARD
7. Verification Commands
Check VLAN Access Maps
show vlan access-map
Check VLAN Filters
show vlan filter
Check ACLs
show access-lists
Check MAC ACLs
show mac access-list
Example Verification Output
Click to Expand CLI Output
NX-01# show vlan access-map VLAN access-map "VLAN10" 10 match ip address VACL-10 action drop VLAN access-map "VLAN10" 20 match mac address MAC-VACL-10 action drop VLAN access-map "VLAN10" 100 match ip address IP-PERMIT action forward
8. Configure Remote Management
SSH is enabled by default on modern Nexus switches.
We now enable:
\[ Telnet \]
for remote management.
Security Warning
Telnet is insecure because:
- No encryption
- Credentials transmitted in plain text
- Easy packet sniffing
Modern production environments should prefer:
SSH Only
Enable Telnet on NX-01
configure terminal
feature telnet
end
Enable Telnet on NX-02
configure terminal
feature telnet
end
Enable Telnet on NX-03
configure terminal
feature telnet
end
Telnet vs SSH Comparison
| Feature | Telnet | SSH |
|---|---|---|
| Encryption | No | Yes |
| Authentication Security | Weak | Strong |
| Production Usage | Rare | Standard |
| TCP Port | 23 | 22 |
9. Networking Mathematics
ACL Evaluation Probability
Suppose:
\[ Packets = 100000 \]
IGMP packets:
\[ 5000 \]
Blocked percentage:
\[ \frac{5000}{100000} \times 100 \]
\[ 5\% \]
The VACL blocks:
\[ 5\% \]
of traffic.
Bandwidth Protection Mathematics
Suppose:
\[ Attack\ Rate = 900Mbps \]
VACL filtering efficiency:
\[ 100\% \]
Traffic after filtering:
\[ 900Mbps - 900Mbps \]
\[ 0Mbps \]
The malicious traffic is completely blocked.
10. Modern Security Best Practices
Modern enterprise data centers often combine:
- VACLs
- PACLs
- RACLs
- Microsegmentation
- VXLAN EVPN
- TrustSec
- Zero Trust policies
Modern Secure VLAN Example
configure terminal
ip access-list SECURE-VLAN
deny udp any any eq 69
deny igmp any any
permit ip any any
vlan access-map SECURE-MAP 10
match ip address SECURE-VLAN
action drop
vlan access-map SECURE-MAP 100
action forward
vlan filter SECURE-MAP vlan-list 10
end
11. Troubleshooting
Common VACL Problems
- VACL not applied to VLAN
- ACL sequence errors
- Incorrect match statements
- Missing forward action
Common Telnet Problems
- Feature not enabled
- ACL blocking TCP 23
- Management VRF issues
Useful Troubleshooting Commands
show vlan access-map
show vlan filter
show feature
show running-config
show access-lists
show mac access-list
Complete Final Configuration
configure terminal
ip access-list VACL-10
permit igmp any any
ip access-list VACL-20
permit udp any any eq 69
mac access-list MAC-VACL-10
permit 0001.0012.2222 0000.0000.0000 any
ip access-list IP-PERMIT
permit ip any any
vlan access-map VLAN10 10
match ip address VACL-10
action drop
vlan access-map VLAN10 20
match mac address MAC-VACL-10
action drop
vlan access-map VLAN10 100
match ip address IP-PERMIT
action forward
vlan access-map VLAN20 10
match ip address VACL-20
action drop
vlan access-map VLAN20 100
match ip address IP-PERMIT
action forward
vlan filter VLAN10 vlan-list 10
vlan filter VLAN20 vlan-list 20
feature telnet
end
copy running-config startup-config
Key Takeaways
✔ VACLs filter traffic inside VLANs.
✔ IGMP traffic can be selectively blocked.
✔ TFTP filtering improves security posture.
✔ MAC ACLs protect against Layer 2 attacks.
✔ Telnet should only be used in labs or isolated networks.
✔ SSH remains the preferred secure management protocol.
✔ Modern data centers combine multiple security layers simultaneously.
Conclusion
In this final Cisco Nexus NX-OS guide, we configured:
- VLAN Access Maps
- IGMP filtering
- TFTP blocking
- MAC-based attack prevention
- VLAN filtering
- Remote management using Telnet
- Secure management concepts using SSH
These advanced security technologies are critical in enterprise and data center environments where east-west traffic security and segmentation are essential.
This concludes the complete Cisco Nexus NX-OS configuration and security series.
No comments:
Post a Comment