Configuring VACLs, Multicast Packets | Cisco Systems 7600 SERIES

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

Multicast Packets

Figure 23-3shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order:

1.Packets that need multicast expansion:

a.VACL for input VLAN

b.Input Cisco IOS ACL

2.Packets after multicast expansion:

a.Output Cisco IOS ACL

b.VACL for output VLAN (not supported with PFC2)

3.Packets originating from router—VACL for output VLAN

Figure 23-3 Applying VACLs on Multicast Packets

		Catalyst 6500 Series Switch
		with MSFC
	Routed	MSFC
	Input IOS ACL
	Bridged
	VACL
	Host A	Bridged
	(VLAN 10)	Bridged
	(VLAN 10)

IOS ACL for output VLAN for packets originating from router

Output IOS ACL

VACL (Not supported on PFC2)

Host B

(VLAN 20)

26965

Host D

(VLAN 20)

Host C

(VLAN 10)

Configuring VACLs

These sections describe configuring VACLs:

•VACL Configuration Overview, page 23-12

•Defining a VLAN Access Map, page 23-12

•Configuring a Match Clause in a VLAN Access Map Sequence, page 23-13

•Configuring an Action Clause in a VLAN Access Map Sequence, page 23-14

•Applying a VLAN Access Map, page 23-14

•Verifying VLAN Access Map Configuration, page 23-15

		Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

	78-14064-04			23-11
	78-14064-04			23-11

Image 11

Cisco Systems 7600 SERIES manual Configuring VACLs, Multicast Packets, These sections describe configuring VACLs, 23-11

Contents

23-1 ACL Configuration GuidelinesThis chapter consists of these sections 23-2 Hardware and Software ACL Support 23-3 Determining Layer 4 Operation Usage 23-4 Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage More detailed example follows 23-5 Cisco IOS Firewall Feature Set Support Overview Guidelines Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers Restrictions 23-7 Configuring MAC Address-Based Traffic Blocking 23-8 Configuring Vlan ACLsUnderstanding VACLs Vacl Overview Igmp packets are not checked against VACLs VACLs and Cbac cannot be configured on the same interfaceBridged Packets Same interface 23-10 Routed Packets 23-11 Configuring VACLsThese sections describe configuring VACLs Multicast Packets 23-12 Vacl Configuration OverviewDefining a Vlan Access Map To define a Vlan access map, perform this task 23-13 Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence Deletes the match clause in a Vlan access map sequence 23-14 Configuring an Action Clause in a Vlan Access Map SequenceApplying a Vlan Access Map 23-15 Verifying Vlan Access Map ConfigurationVlan Access Map Configuration and Verification Examples 23-16 Configuring a Capture Port 23-17 Configuring Vacl Logging 23-18 Configuring TCP Intercept Enabling Self-Pinging Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Understanding Unicast RPF Support 23-20 Configuring the Unicast RPF Checking Mode 23-21 Configuring Unicast Flood ProtectionThis example shows how to verify the configuration 23-22 Configuring MAC Move Notification 23-23 23-24