Cisco Systems 7600 SERIES manual Vacl Configuration Overview, Defining a Vlan Access Map, 23-12

Page 12

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

VLAN Access Map Configuration and Verification Examples, page 23-15

Configuring a Capture Port, page 23-16

VACL Configuration Overview

VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC-Layer named ACLs (see the “Configuring MAC-Layer Named Access Lists (Optional)” section on page 32-39) and VLAN access maps.

VLAN access maps can be applied to VLANs or, with releases 12.1(13)E or later, to WAN interfaces for VACL capture. VACLs attached to WAN interfaces support only standard and extended Cisco IOS IP ACLs for VACL capture.

Each VLAN access map can consist of one or more map sequences, each sequence with a match clause and an action clause. The match clause specifies IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.

To use access-control for both bridged and routed traffic, you can use VACLs alone or a combination of VACLs and ACLs. You can define ACLs on the VLAN interfaces to use access-control for both the input and output routed traffic. You can define a VACL to use access-control for the bridged traffic.

The following caveats apply to ACLs when used with VACLs:

Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.

VACLs are applied on packets before NAT translation. If the translated flow is not subject to access control, the flow might be subject to access control after the translation because of the VACL configuration.

The action clause in a VACL can be forward, drop, capture, or redirect. Traffic can also be logged. VACLs applied to WAN interfaces do not support the redirect or log actions.

Note VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.

Note If an empty or undefined ACL is specified in a VACL, any packets will match the ACL and the associated action is taken.

Defining a VLAN Access Map

To define a VLAN access map, perform this task:

 

Command

Purpose

 

 

 

 

Router(config)# vlan access-map map_name [0-65535]

Defines the VLAN access map. Optionally, you can specify

 

 

 

 

the VLAN access map sequence number.

 

Router(config)# no vlan access-map map_name 0-65535

Deletes a map sequence from the VLAN access map.

 

Router(config)# no vlan access-map map_name

Deletes the VLAN access map.

 

 

 

 

 

 

 

 

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

 

 

 

 

 

 

 

 

 

 

23-12

 

 

78-14064-04

 

 

 

 

 

Page 11 Page 13
Image 12
Page 11 Page 13
Contents ACL Configuration Guidelines This chapter consists of these sections23-1 Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3Configuring the Cisco IOS Firewall Feature Set Determining Logical Operation Unit UsageMore detailed example follows 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Firewall Configuration Guidelines and Restrictions Configuring Cbac on Cisco 7600 Series RoutersRestrictions GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Configuring Vlan ACLs Understanding VACLsVacl Overview 23-8VACLs and Cbac cannot be configured on the same interface Bridged PacketsSame interface Igmp packets are not checked against VACLsRouted Packets 23-10Configuring VACLs These sections describe configuring VACLsMulticast Packets 23-11Vacl Configuration Overview Defining a Vlan Access MapTo define a Vlan access map, perform this task 23-12Configuring a Match Clause in a Vlan Access Map Sequence Configures the match clause in a Vlan access map sequenceDeletes the match clause in a Vlan access map sequence 23-13Configuring an Action Clause in a Vlan Access Map Sequence Applying a Vlan Access Map23-14 Verifying Vlan Access Map Configuration Vlan Access Map Configuration and Verification Examples23-15 Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Configuring Unicast Reverse Path Forwarding Configuring Unicast RPFUnderstanding Unicast RPF Support Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-20Configuring Unicast Flood Protection This example shows how to verify the configuration23-21 Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb
Top Page Image Contents