Routed Packets, 23-10 | Cisco Systems 7600 SERIES manual

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

Routed Packets

Figure 23-2shows how ACLs are applied on routed and Layer 3-switched packets. For routed or Layer 3-switched packets, the ACLs are applied in the following order:

1.VACL for input VLAN

2.Input Cisco IOS ACL

3.Output Cisco IOS ACL

4.VACL for output VLAN

Figure 23-2 Applying VACLs on Routed Packets

		Routed
	Input IOS ACL	Output IOS ACL
	Input IOS ACL	MSFC
		MSFC
	Bridged	VACL
	Bridged
	VACL	Bridged
	VACL
		Catalyst 6500 series switches
		with MSFC
	Host A	Host B
	Host A	(VLAN 20)
	(VLAN 10)	(VLAN 20)
	(VLAN 10)

26964

	Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
23-10	78-14064-04

Image 10

Cisco Systems 7600 SERIES manual Routed Packets, 23-10

Contents

This chapter consists of these sections ACL Configuration Guidelines23-1 Hardware and Software ACL Support 23-2 Determining Layer 4 Operation Usage 23-3 More detailed example follows Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage 23-4 Cisco IOS Firewall Feature Set Support Overview 23-5 Restrictions Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers Guidelines Configuring MAC Address-Based Traffic Blocking 23-7 Vacl Overview Configuring Vlan ACLsUnderstanding VACLs 23-8 Same interface VACLs and Cbac cannot be configured on the same interfaceBridged Packets Igmp packets are not checked against VACLs Routed Packets 23-10 Multicast Packets Configuring VACLsThese sections describe configuring VACLs 23-11 To define a Vlan access map, perform this task Vacl Configuration OverviewDefining a Vlan Access Map 23-12 Deletes the match clause in a Vlan access map sequence Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence 23-13 Applying a Vlan Access Map Configuring an Action Clause in a Vlan Access Map Sequence23-14 Vlan Access Map Configuration and Verification Examples Verifying Vlan Access Map Configuration23-15 Configuring a Capture Port 23-16 Configuring Vacl Logging 23-17 Configuring TCP Intercept 23-18 Understanding Unicast RPF Support Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Enabling Self-Pinging Configuring the Unicast RPF Checking Mode 23-20 This example shows how to verify the configuration Configuring Unicast Flood Protection23-21 Configuring MAC Move Notification 23-22 23-23 23-24