Cisco Systems 7600 SERIES Verifying VLAN Access Map Configuration, VLAN Access Map Configuration and Verification Examples

23-15

Cisco7600 Series Router Cisco IOS Software Configuration Guide—12.1E

78-14064-04

Chapter23 Configuring Network Security

Configuring VLAN ACLs

When applying a VLAN access map, note the following syntax information:

•You can apply the VLAN access map to one or more VLANs or WAN interfaces.

•The vlan_list parameter can be a single VLAN ID or a comma-separated list of VLAN IDs or VLAN

ID ranges (vlan_ID–vlan_ID).

•If you delete a WAN interface that has a VACL applied, the VACL configuration on the interface is

also removed.

•You can apply only one VLAN access map to each VLAN or WAN interface.

•VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.

VACLs applied to VLANs without a Layer 3 VLAN interface are inactive. With releases 12.1(13)E

and later, applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an

administratively down Layer 3 VLAN interface to support the VLAN access map. If creation of the

Layer 3 VLAN interface fails, the VACL is inactive.

•You cannot apply a VACL to a secondary private VLAN. VACLs applied to primary private VLANs

also apply to secondary private VLANs.

•Use the no keyword to clear VLAN access maps from VLANs or WAN interfaces.

See the “VLAN Access Map Configuration and Verification Examples” section on page23-15.

Verifying VLAN Access Map Configuration

To verify VLAN access map configuration, perform this task:

VLAN Access Map Configuration and Verification Examples

Assume IP-named ACL net_10 and any_host are defined as follows:

Router# show ip access-lists net_10

Extended IP access list net_10

permit ip 10.0.0.0 0.255.255.255 any

Router# show ip access-lists any_host

Standard IP access list any_host

permit any

Router(config)# no vlan filter map_name [vlan-list

vlan_list | interface type1 number2]

Removes the VLAN access map from the specified VLANs or

WAN interfaces.

1. type = pos, atm, or serial

2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

Command Purpose

Router# show vlan access-map [map_name] Verifies VLAN access map configuration by displaying the

content of a VLAN access map.

Router# show vlan filter [access-map map_name | vlan

vlan_id | interface type1number2]

1. type = pos, atm, or serial

2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

Verifies VLAN access map configuration by displaying the

mappings between VACLs and VLANs.