Vacl Configuration Overview; Defining A Vlan Access Map - Cisco 6500 Series Software Configuration Manual
Hide thumbs
Also See for 6500 Series:
- Configuration manual (392 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring VLAN ACLs
•
•
VACL Configuration Overview
VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC-Layer named ACLs (see the
"Configuring MAC-Layer Named Access Lists (Optional)" section on page
VLAN access maps can be applied to VLANs or, with releases 12.1(13)E or later, to WAN interfaces for
VACL capture. VACLs attached to WAN interfaces support only standard and extended Cisco IOS IP
ACLs for VACL capture.
Each VLAN access map can consist of one or more map sequences, each sequence with a match clause
and an action clause. The match clause specifies IP, IPX, or MAC ACLs for traffic filtering and the action
clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry,
the associated action is taken and the flow is not checked against the remaining sequences. When a flow
matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next
sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet
type, the packet is denied.
To use access-control for both bridged and routed traffic, you can use VACLs alone or a combination of
VACLs and ACLs. You can define ACLs on the VLAN interfaces to use access-control for both the input
and output routed traffic. You can define a VACL to use access-control for the bridged traffic.
The following caveats apply to ACLs when used with VACLs:
•
•
The action clause in a VACL can be forward, drop, capture, or redirect. Traffic can also be logged.
VACLs applied to WAN interfaces do not support the redirect or log actions.
VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL
Note
entry, and at least one ACL is configured for the packet type.
If an empty or undefined ACL is specified in a VACL, any packets will match the ACL and the associated
Note
action is taken.
Defining a VLAN Access Map
To define a VLAN access map, perform this task:
Command
Router(config)# vlan access-map map_name [0-65535]
Router(config)# no vlan access-map map_name 0-65535
Router(config)# no vlan access-map map_name
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
23-12
VLAN Access Map Configuration and Verification Examples, page 23-15
Configuring a Capture Port, page 23-16
Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.
VACLs are applied on packets before NAT translation. If the translated flow is not subject to access
control, the flow might be subject to access control after the translation because of the VACL
configuration.
Purpose
Defines the VLAN access map. Optionally, you can specify
the VLAN access map sequence number.
Deletes a map sequence from the VLAN access map.
Deletes the VLAN access map.
Chapter 23
Configuring Network Security
31-39) and VLAN access maps.
78-14099-04
Advertisement
Table of Contents
Troubleshooting
