Vlan Maps With Router Acls; Vlan Maps And Router Acl Configuration Guidelines - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
VLAN Maps with Router ACLs
• If there is no ACL configured to deny traffic on an interface and no VLAN map is configured, all traffic
• Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A
• If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does
• Logging is not supported for VLAN maps.
• When a switch has an IP access list or MAC access list applied to a Layer 2 interface, and you apply a
• If a VLAN map configuration cannot be applied in hardware, all packets in that VLAN are dropped.
VLAN Maps with Router ACLs
To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router
ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and
you can define a VLAN map to access control the bridged traffic.
If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration,
the packet flow is denied.
When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not
Note
logged if they are denied by a VLAN map.
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the
type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified,
the packet is forwarded if it does not match any VLAN map entry.
VLAN Maps and Router ACL Configuration Guidelines
These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same
VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and VLAN
maps on different VLANs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both router
ACL and VLAN map configuration:
• You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN
• Whenever possible, try to write the ACL with all entries having a single action except for the final,
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
152
is permitted.
packet that comes into the switch is tested against the first entry in the VLAN map. If it matches, the
action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against
the next entry in the map.
not match any of these match clauses, the default is to drop the packet. If there is no match clause for
that type of packet in the VLAN map, the default is to forward the packet.
VLAN map to a VLAN that the port belongs to, the port ACL takes precedence over the VLAN map.
interface.
default action of the other type. That is, write the ACL using one of these two forms:
permit... permit... permit... deny ip any any
or
Configuring IPv4 ACLs
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
