Cisco Systems 7600 SERIES manual Configuring a Capture Port, 23-16

Page 16

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter thor vlan-list 12-16

This example shows how to define and apply a VLAN access map to drop and log IP packets. In this example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:

Router(config)# vlan access-map ganymede 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action drop log

Router(config-access-map)# exit

Router(config)# vlan access-map ganymede 20

Router(config-access-map)# match ip address any_host

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter ganymede vlan-list 7-9

This example shows how to define and apply a VLAN access map to forward and capture IP packets. In this example, IP traffic matching net_10 is forwarded and captured and all other IP packets are dropped:

Router(config)# vlan access-map mordred 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward capture

Router(config-access-map)# exit

Router(config)# vlan filter mordred vlan-list 2, 4-6

Configuring a Capture Port

A port configured to capture VACL-filtered traffic is called a capture port.

Note To apply IEEE 802.1Q or ISL tags to the captured traffic, configure the capture port to trunk unconditionally (see the “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section on page 7-8and the “Configuring the Layer 2 Trunk Not to Use DTP” section on page 7-9).

To configure a capture port, perform this task:

 

Command

Purpose

Step 1

 

 

Router(config)# interface {{type1 slot/port}

Specifies the interface to configure.

Step 2

 

 

Router(config-if)#switchport capture allowed

(Optional) With Release 12.1(13)E and later releases,

 

vlan {add all except remove} vlan_list

filters the captured traffic on a per-destination-VLAN

 

 

basis. The default is all.

 

Router(config-if)#no switchport capture allowed

Clears the configured destination VLAN list and returns

 

vlan

to the default value (all).

Step 3

 

 

Router(config-if)# switchport capture

Configures the port to capture VACL-filtered traffic.

 

Router(config-if)#no switchport capture

Disables the capture function on the interface.

 

 

 

1.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

 

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-16

78-14064-04

Image 16
Contents This chapter consists of these sections ACL Configuration Guidelines23-1 Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3Configuring the Cisco IOS Firewall Feature Set Determining Logical Operation Unit UsageMore detailed example follows 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Firewall Configuration Guidelines and Restrictions Configuring Cbac on Cisco 7600 Series RoutersRestrictions GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Configuring Vlan ACLs Understanding VACLsVacl Overview 23-8VACLs and Cbac cannot be configured on the same interface Bridged PacketsSame interface Igmp packets are not checked against VACLsRouted Packets 23-10Configuring VACLs These sections describe configuring VACLsMulticast Packets 23-11Vacl Configuration Overview Defining a Vlan Access MapTo define a Vlan access map, perform this task 23-12Configuring a Match Clause in a Vlan Access Map Sequence Configures the match clause in a Vlan access map sequenceDeletes the match clause in a Vlan access map sequence 23-13Applying a Vlan Access Map Configuring an Action Clause in a Vlan Access Map Sequence23-14 Vlan Access Map Configuration and Verification Examples Verifying Vlan Access Map Configuration23-15 Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Configuring Unicast Reverse Path Forwarding Configuring Unicast RPFUnderstanding Unicast RPF Support Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-20This example shows how to verify the configuration Configuring Unicast Flood Protection23-21 Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb