Cisco Systems 7600 SERIES manual Configuring an Action Clause in a Vlan Access Map Sequence, 23-14

Page 14

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

Configuring an Action Clause in a VLAN Access Map Sequence

To configure an action clause in a VLAN access map sequence, perform this task:

Command

 

 

Purpose

 

 

 

Router(config-access-map)#

action {drop [log]}

Configures the action clause in a VLAN access map

{forward [capture]} {redirect {{ethernet

sequence.

fastethernet

gigabitethernet tengigabitethernet}

 

slot/port}

{port-channel

channel_id}}

 

Router(config-access-map)#

no action {drop [log]}

Deletes the action clause in from the VLAN access map

{forward [capture]} {redirect {{ethernet

sequence.

fastethernet

gigabitethernet tengigabitethernet}

 

slot/port}

{port-channel

channel_id}}

 

 

 

 

 

When configuring an action clause in a VLAN access map sequence, note the following syntax information:

You can set the action to drop, forward, forward capture, or redirect packets.

VACLs applied to WAN interfaces support only the forward capture action. VACLs applied to WAN interfaces do not support the drop, forward, or redirect actions.

Forwarded packets are still subject to any configured Cisco IOS security ACLs.

The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured. For more information about the capture action, see the “Configuring a Capture Port” section on page 23-16.

The log action is supported only on Supervisor Engine 2.

VACLs applied to WAN interfaces do not support the log action.

When the log action is specified, dropped packets are logged in software. Only dropped IP packets can be logged.

The redirect action allows you to specify up to five interfaces, which can be physical interfaces or EtherChannels. You cannot specify packets to be redirected to an EtherChannel member or a VLAN interface.

For systems with a Supervisor Engine 2, the redirect interface must be in the VLAN for which the VACL access map is configured. For systems with Supervisor Engine 1, the redirect interface must be in the redirected packet’s source VLAN.

Use the no keyword to remove an action clause or specified redirect interfaces.

See the “VLAN Access Map Configuration and Verification Examples” section on page 23-15.

Applying a VLAN Access Map

To apply a VLAN access map, perform this task:

Command

Purpose

 

 

Router(config)# vlan filter map_name {vlan-list

Applies the VLAN access map to the specified VLANs or

vlan_list interface type1 number2} CP_CmdPlain

WAN interfaces.

 

 

 

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-14

78-14064-04

Image 14
Contents 23-1 ACL Configuration GuidelinesThis chapter consists of these sections Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3More detailed example follows Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Restrictions Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Vacl Overview Configuring Vlan ACLsUnderstanding VACLs 23-8Same interface VACLs and Cbac cannot be configured on the same interfaceBridged Packets Igmp packets are not checked against VACLsRouted Packets 23-10Multicast Packets Configuring VACLsThese sections describe configuring VACLs 23-11To define a Vlan access map, perform this task Vacl Configuration OverviewDefining a Vlan Access Map 23-12Deletes the match clause in a Vlan access map sequence Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence 23-1323-14 Configuring an Action Clause in a Vlan Access Map SequenceApplying a Vlan Access Map 23-15 Verifying Vlan Access Map ConfigurationVlan Access Map Configuration and Verification Examples Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Understanding Unicast RPF Support Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-2023-21 Configuring Unicast Flood ProtectionThis example shows how to verify the configuration Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb