Cisco Systems 7600 SERIES manual Configuring an Action Clause in a Vlan Access Map Sequence, 23-14

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

Configuring an Action Clause in a VLAN Access Map Sequence

To configure an action clause in a VLAN access map sequence, perform this task:

When configuring an action clause in a VLAN access map sequence, note the following syntax information:

•You can set the action to drop, forward, forward capture, or redirect packets.

•VACLs applied to WAN interfaces support only the forward capture action. VACLs applied to WAN interfaces do not support the drop, forward, or redirect actions.

•Forwarded packets are still subject to any configured Cisco IOS security ACLs.

•The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured. For more information about the capture action, see the “Configuring a Capture Port” section on page 23-16.

•The log action is supported only on Supervisor Engine 2.

•VACLs applied to WAN interfaces do not support the log action.

•When the log action is specified, dropped packets are logged in software. Only dropped IP packets can be logged.

•The redirect action allows you to specify up to five interfaces, which can be physical interfaces or EtherChannels. You cannot specify packets to be redirected to an EtherChannel member or a VLAN interface.

•For systems with a Supervisor Engine 2, the redirect interface must be in the VLAN for which the VACL access map is configured. For systems with Supervisor Engine 1, the redirect interface must be in the redirected packet’s source VLAN.

•Use the no keyword to remove an action clause or specified redirect interfaces.

See the “VLAN Access Map Configuration and Verification Examples” section on page 23-15.

Applying a VLAN Access Map

To apply a VLAN access map, perform this task: