Cisco Systems 7600 SERIES manual Configuring Vlan ACLs, Understanding VACLs, Vacl Overview, 23-8

Page 8

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

Command

Purpose

 

 

Router(config)# mac-address-table static mac_address

Blocks all traffic to or from the configured MAC address in

vlan vlan_ID drop

the specified VLAN.

Router(config)# no mac-address-table static

Clears MAC address-based blocking.

mac_address vlan vlan_ID

 

 

 

This example shows how to block all traffic to or from MAC address 0050.3e8d.6400 in VLAN 12:

Router# configure terminal

Router(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop

Configuring VLAN ACLs

Note Releases 12.1(11b)E or later supports VLAN ACLs (VACLs).

The following sections describe VACLs:

Understanding VACLs, page 23-8

Configuring VACLs, page 23-11

Configuring VACL Logging, page 23-17

Understanding VACLs

These sections describe VACLs:

VACL Overview, page 23-8

Bridged Packets, page 23-9

Routed Packets, page 23-10

Multicast Packets, page 23-11

VACL Overview

VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with releases 12.1(13)E or later, a WAN interface for VACL capture. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLS are processed in hardware. VACLs use Cisco IOS ACLs. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware.

You can configure VACLs for IP, IPX, and MAC-Layer traffic. VACLs applied to WAN interfaces support only IP traffic for VACL capture.

When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming in to the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-8

78-14064-04

 

 

Page 7 Page 9
Image 8
Page 7 Page 9
Contents 23-1 ACL Configuration GuidelinesThis chapter consists of these sections Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3Configuring the Cisco IOS Firewall Feature Set Determining Logical Operation Unit UsageMore detailed example follows 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Firewall Configuration Guidelines and Restrictions Configuring Cbac on Cisco 7600 Series RoutersRestrictions GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Configuring Vlan ACLs Understanding VACLsVacl Overview 23-8VACLs and Cbac cannot be configured on the same interface Bridged PacketsSame interface Igmp packets are not checked against VACLsRouted Packets 23-10Configuring VACLs These sections describe configuring VACLsMulticast Packets 23-11Vacl Configuration Overview Defining a Vlan Access MapTo define a Vlan access map, perform this task 23-12Configuring a Match Clause in a Vlan Access Map Sequence Configures the match clause in a Vlan access map sequenceDeletes the match clause in a Vlan access map sequence 23-1323-14 Configuring an Action Clause in a Vlan Access Map SequenceApplying a Vlan Access Map 23-15 Verifying Vlan Access Map ConfigurationVlan Access Map Configuration and Verification Examples Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Configuring Unicast Reverse Path Forwarding Configuring Unicast RPFUnderstanding Unicast RPF Support Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-2023-21 Configuring Unicast Flood ProtectionThis example shows how to verify the configuration Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb
Top Page Image Contents