VLAN Maps
106
CN4093 Application Guide for N/OS 8.2
A VLAN map (VMAP) is an ACL that can be assigned to a VLAN or VM group
rather than to a switch port as with regular ACLs. This is particularly useful in a
virtualized environment where traffic filtering and metering policies must follow
virtual machines (VMs) as they migrate between hypervisors.
VMAPs are configured using the following ISCLI command path:
CN4093(config)# accesscontrol vmap <VMAP ID (1‐128)>
action Set filter action
egressport Set to filter for packets egressing this port
ethernet Ethernet header options
ipv4 IP version 4 header options
meter ACL metering configuration
mirror Mirror options
packetformat Set to filter specific packet format types
remark ACL remark configuration
statistics Enable access control list statistics
tcpudp TCP and UDP filtering options
The CN4093 supports up to 128 VMAPs.
Individual VMAP filters are configured in the same fashion as regular ACLs,
except that VLANs cannot be specified as a filtering criteria (unnecessary, since the
VMAP are assigned to a specific VLAN or associated with a VM group VLAN).
Once a VMAP filter is created, it can be assigned or removed using the following
configuration commands:
For a regular VLAN:
CN4093(config)# vlan <VLAN ID>
CN4093(configvlan)# [no] vmap <VMap ID> [intports|extports]
For a VM group (see "VM Group Types" on page
CN4093(config)# [no] virt vmgroup <ID> vmap <VMap ID>
[intports|extports]
Note: Each VMAP can be assigned to only one VLAN or VM group. However, each
VLAN or VM group may have multiple VMAPs assigned to it.
When the optional intports or extports parameter is specified, the action to
add or remove the vMAP is applies for either the internal downlink ports or
external uplink ports only. If omitted, the operation will be applied to all ports in
the associated VLAN or VM group.
Note: VMAPs have a lower priority than port-based ACLs. If both an ACL and a
VMAP match a particular packet, both filter actions will be applied as long as there
is no conflict. In the event of a conflict, the port ACL will take priority, though switch
statistics will count matches for both the ACL and VMAP.
242):