Chapter 23 Configuring Network Security

Configuring VLAN ACLs

 

 

is first checked against the output ACL applied to the routed interface and, if permitted, the VACL

 

 

configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet

 

 

of that type does not match the VACL, the default action is deny.

 

 

 

Note

VACLs and CBAC cannot be configured on the same interface.

 

 

TCP Intercepts and Reflexive ACLs take precedence over a VACL action if these are configured on

 

 

the same interface.

 

 

IGMP packets are not checked against VACLs.

 

 

 

Bridged Packets

Figure 23-1shows a VACL applied on bridged packets.

Figure 23-1 Applying VACLs on Bridged Packets

VACLBridged

Host A

(VLAN 10)

Catalyst 6500 Series Switch

with PFC

Host B

(VLAN 10)

26961

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

 

78-14064-04

23-9

 

 

 

Page 9
Image 9
Cisco Systems 7600 SERIES Bridged Packets, VACLs and Cbac cannot be configured on the same interface, Same interface, 23-9