Cisco Systems 7600 SERIES manual Configuring MAC Address-Based Traffic Blocking, 23-7

Page 7

Chapter 23 Configuring Network Security

Configuring MAC Address-Based Traffic Blocking

Router(config-if)# exit

Router(config)# interface vlan 200

Router(config-if)#ip access-group deny_ftp_c in

Router(config-if)#ip access-group deny_ftp_d out

Router(config-if)# exit

Router(config)# interface vlan 300

Router(config-if)#ip access-group deny_ftp_e in

Router(config-if)#ip access-group deny_ftp_f out

Router(config-if)# end

If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_c, and deny_ftp_d. If another FTP session enters on VLAN 100 and needs to leave on VLAN 300, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_e, and deny_ftp_f.

On a Cisco 7600 series router, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally only through the port configured with the ip inspect command. You must configure other ports with the mls ip inspect command.

If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC on a Cisco 7600 series router permits the FTP traffic only through ACLs deny_ftp_a and deny_ftp_b. To permit the traffic through ACLs deny_ftp_c and deny_ftp_d, you must enter the mls ip inspect deny_ftp_c and mls ip inspect deny_ftp_d commands, as shown in this example:

Router(config)# mls ip inspect deny_ftp_c

Router(config)# mls ip inspect deny_ftp_d

With the example configuration, FTP traffic cannot leave on VLAN 300 unless you enter the mls ip inspect deny_ftp_e and mls ip inspect deny_ftp_f commands. Enter the show fm insp [detail] command to verify the configuration.

The show fm insp [detail] command displays the list of ACLs and ports on which CBAC is configured and the status (ACTIVE or INACTIVE), as shown in this example:

Router# show fm insp

interface:Vlan305(in) status :ACTIVE acl name:deny

interfaces: Vlan305(out):status ACTIVE

On VLAN 305, inspection is active in the inbound direction and no ACL exists. ACL deny is applied on VLAN 305 in the outbound direction and inspection is active.

To display all of the flow information, use the detail keyword.

If a VACL is configured on the port before configuring CBAC, the status displayed is INACTIVE; otherwise, it is ACTIVE. If PFC resources are exhausted, the command displays the word “BRIDGE” followed by the number of currently active NetFlow requests that failed, which have been sent to the MSFC2 for processing.

Configuring MAC Address-Based Traffic Blocking

With 12.1(13)E and later releases, to block all traffic to or from a MAC address in a specified VLAN, perform this task:

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

 

78-14064-04

23-7

 

 

 

Page 6 Page 8
Image 7
Page 6 Page 8
Contents This chapter consists of these sections ACL Configuration Guidelines23-1 23-2 Hardware and Software ACL Support23-3 Determining Layer 4 Operation Usage23-4 Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage More detailed example follows23-5 Cisco IOS Firewall Feature Set Support OverviewGuidelines Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers Restrictions23-7 Configuring MAC Address-Based Traffic Blocking23-8 Configuring Vlan ACLsUnderstanding VACLs Vacl OverviewIgmp packets are not checked against VACLs VACLs and Cbac cannot be configured on the same interfaceBridged Packets Same interface23-10 Routed Packets23-11 Configuring VACLsThese sections describe configuring VACLs Multicast Packets23-12 Vacl Configuration OverviewDefining a Vlan Access Map To define a Vlan access map, perform this task23-13 Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence Deletes the match clause in a Vlan access map sequenceApplying a Vlan Access Map Configuring an Action Clause in a Vlan Access Map Sequence23-14 Vlan Access Map Configuration and Verification Examples Verifying Vlan Access Map Configuration23-15 23-16 Configuring a Capture Port23-17 Configuring Vacl Logging23-18 Configuring TCP InterceptEnabling Self-Pinging Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Understanding Unicast RPF Support23-20 Configuring the Unicast RPF Checking ModeThis example shows how to verify the configuration Configuring Unicast Flood Protection23-21 23-22 Configuring MAC Move Notification23-23 23-24
Related manuals
Manual 74 pages 38.06 Kb
Top Page Image Contents