Cisco Systems 7600 SERIES manual Verifying Vlan Access Map Configuration, 23-15

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

1.type = pos, atm, or serial

2.number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

When applying a VLAN access map, note the following syntax information:

•You can apply the VLAN access map to one or more VLANs or WAN interfaces.

•The vlan_list parameter can be a single VLAN ID or a comma-separated list of VLAN IDs or VLAN ID ranges (vlan_ID–vlan_ID).

•If you delete a WAN interface that has a VACL applied, the VACL configuration on the interface is also removed.

•You can apply only one VLAN access map to each VLAN or WAN interface.

•VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured. VACLs applied to VLANs without a Layer 3 VLAN interface are inactive. With releases 12.1(13)E and later, applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an administratively down Layer 3 VLAN interface to support the VLAN access map. If creation of the Layer 3 VLAN interface fails, the VACL is inactive.

•You cannot apply a VACL to a secondary private VLAN. VACLs applied to primary private VLANs also apply to secondary private VLANs.

•Use the no keyword to clear VLAN access maps from VLANs or WAN interfaces.

See the “VLAN Access Map Configuration and Verification Examples” section on page 23-15.

Verifying VLAN Access Map Configuration

To verify VLAN access map configuration, perform this task:

1.type = pos, atm, or serial

2.number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

VLAN Access Map Configuration and Verification Examples

Assume IP-named ACL net_10 and any_host are defined as follows:

Router# show ip access-lists net_10 Extended IP access list net_10

permit ip 10.0.0.0 0.255.255.255 any

Router# show ip access-lists any_host Standard IP access list any_host

permit any