Chapter 23 Configuring Network Security
Configuring VLAN ACLs
When configuring a capture port, note the following syntax information:
•With Release 12.1(13)E and later releases, you can configure any port as a capture port. With earlier releases, only the Gigabit Ethernet monitor port on the IDS module can be configured as a capture port.
•When configuring a capture port with Release 12.1(13)E and later releases, note the following syntax information:
–The vlan_list parameter can be a single VLAN ID or a
–To encapsulate captured traffic, configure the capture port with the switchport trunk encapsulation command (see the “Configuring a Layer 2 Switching Port as a Trunk” section on page
–To not encapsulate captured traffic, configure the capture port with the switchport mode access command (see the “Configuring a LAN Interface as a Layer 2 Access Port” section on
page
–The capture port supports only egress traffic. No traffic can enter the router through a capture port.
This example shows how to configure a Fast Ethernet interface 5/1 as a capture port:
Router(config)# interface gigabitEthernet 5/1
This example shows how to display VLAN access map information:
Router# show vlan
Vlan
Router#
This example shows how to display mappings between VACLs and VLANs. For each VACL map, there is information about the VLANs that the map is configured on and the VLANs that the map is active on. A VACL is not active if the VLAN does not have an interface.
Router# show vlan filter
VLAN Map mordred:
Configured on VLANs:
Active on VLANs:
Router#
Configuring VACL Logging
When you configure VACL logging, IP packets that are denied generate log messages in these situations:
•When the first matching packet is received
•For any matching packets received during the last
•If the threshold is reached before the
Log messages are generated on a
|
| Cisco 7600 Series Router Cisco IOS Software Configuration |
|
| |
|
|
| |||
|
|
|
|
| |
|
|
|
| ||