Cisco Systems 7600 SERIES manual Bridged Packets, Same interface, 23-9

Page 9

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

 

 

is first checked against the output ACL applied to the routed interface and, if permitted, the VACL

 

 

configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet

 

 

of that type does not match the VACL, the default action is deny.

 

 

 

Note

VACLs and CBAC cannot be configured on the same interface.

 

 

TCP Intercepts and Reflexive ACLs take precedence over a VACL action if these are configured on

 

 

the same interface.

 

 

IGMP packets are not checked against VACLs.

 

 

 

Bridged Packets

Figure 23-1shows a VACL applied on bridged packets.

Figure 23-1 Applying VACLs on Bridged Packets

VACLBridged

Host A

(VLAN 10)

Catalyst 6500 Series Switch

with PFC

Host B

(VLAN 10)

26961

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

 

78-14064-04

23-9

 

 

 

Image 9
Contents ACL Configuration Guidelines This chapter consists of these sections23-1 23-2 Hardware and Software ACL Support23-3 Determining Layer 4 Operation UsageDetermining Logical Operation Unit Usage Configuring the Cisco IOS Firewall Feature SetMore detailed example follows 23-423-5 Cisco IOS Firewall Feature Set Support OverviewConfiguring Cbac on Cisco 7600 Series Routers Firewall Configuration Guidelines and RestrictionsRestrictions Guidelines23-7 Configuring MAC Address-Based Traffic BlockingUnderstanding VACLs Configuring Vlan ACLsVacl Overview 23-8Bridged Packets VACLs and Cbac cannot be configured on the same interfaceSame interface Igmp packets are not checked against VACLs23-10 Routed PacketsThese sections describe configuring VACLs Configuring VACLsMulticast Packets 23-11Defining a Vlan Access Map Vacl Configuration OverviewTo define a Vlan access map, perform this task 23-12Configures the match clause in a Vlan access map sequence Configuring a Match Clause in a Vlan Access Map SequenceDeletes the match clause in a Vlan access map sequence 23-13Configuring an Action Clause in a Vlan Access Map Sequence Applying a Vlan Access Map23-14 Verifying Vlan Access Map Configuration Vlan Access Map Configuration and Verification Examples23-15 23-16 Configuring a Capture Port23-17 Configuring Vacl Logging23-18 Configuring TCP InterceptConfiguring Unicast RPF Configuring Unicast Reverse Path ForwardingUnderstanding Unicast RPF Support Enabling Self-Pinging23-20 Configuring the Unicast RPF Checking ModeConfiguring Unicast Flood Protection This example shows how to verify the configuration23-21 23-22 Configuring MAC Move Notification23-23 23-24
Related manuals
Manual 74 pages 38.06 Kb