Chapter 23 Configuring Network Security
Configuring VLAN ACLs
Configuring an Action Clause in a VLAN Access Map Sequence
To configure an action clause in a VLAN access map sequence, perform this task:
Command |
|
| Purpose |
|
|
| |
action {drop [log]} | Configures the action clause in a VLAN access map | ||
{forward [capture]} {redirect {{ethernet | sequence. | ||
fastethernet | gigabitethernet tengigabitethernet} |
| |
slot/port} | channel_id}} |
| |
no action {drop [log]} | Deletes the action clause in from the VLAN access map | ||
{forward [capture]} {redirect {{ethernet | sequence. | ||
fastethernet | gigabitethernet tengigabitethernet} |
| |
slot/port} | channel_id}} |
| |
|
|
|
|
When configuring an action clause in a VLAN access map sequence, note the following syntax information:
•You can set the action to drop, forward, forward capture, or redirect packets.
•VACLs applied to WAN interfaces support only the forward capture action. VACLs applied to WAN interfaces do not support the drop, forward, or redirect actions.
•Forwarded packets are still subject to any configured Cisco IOS security ACLs.
•The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured. For more information about the capture action, see the “Configuring a Capture Port” section on page
•The log action is supported only on Supervisor Engine 2.
•VACLs applied to WAN interfaces do not support the log action.
•When the log action is specified, dropped packets are logged in software. Only dropped IP packets can be logged.
•The redirect action allows you to specify up to five interfaces, which can be physical interfaces or EtherChannels. You cannot specify packets to be redirected to an EtherChannel member or a VLAN interface.
•For systems with a Supervisor Engine 2, the redirect interface must be in the VLAN for which the VACL access map is configured. For systems with Supervisor Engine 1, the redirect interface must be in the redirected packet’s source VLAN.
•Use the no keyword to remove an action clause or specified redirect interfaces.
See the “VLAN Access Map Configuration and Verification Examples” section on page
Applying a VLAN Access Map
To apply a VLAN access map, perform this task:
Command | Purpose |
|
|
Router(config)# vlan filter map_name | Applies the VLAN access map to the specified VLANs or |
vlan_list interface type1 number2} CP_CmdPlain | WAN interfaces. |
|
|
| Cisco 7600 Series Router Cisco IOS Software Configuration |
|