Using Vlan Maps With Router Acls - Cisco Catalyst 3550 series Software Configuration Manual
Multilayer switch
Hide thumbs
Also See for Catalyst 3550 series:
- Reference manual (58 pages) ,
- Datasheet (21 pages) ,
- Manual (19 pages)
Table of Contents
Advertisement
Using VLAN Maps with Router ACLs
Using VLAN Maps with Router ACLs
To access control both bridged and routed traffic, you can use VLAN maps only or a combination of
router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN
interfaces, and you can define a VLAN map to access control the bridged traffic.
Note
You cannot combine VLAN maps or input router ACLs with port ACLs on a switch.
If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL
configuration, the packet flow is denied.
When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not
Note
logged if they are denied by a VLAN map.
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match
the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action
specified, the packet is forwarded if it does not match any VLAN map entry.
This section includes this information about using VLAN maps with router ACLs:
•
•
Guidelines for Using Router ACLs and VLAN Maps
These guidelines are for configurations where you need to have an router ACL and a VLAN map on the
same VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and
VLAN maps on different VLANs.
The switch hardware provides one lookup for security ACLs for each direction (input and output);
therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN.
Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both
router ACL and VLAN map configuration:
•
•
Catalyst 3550 Multilayer Switch Software Configuration Guide
28-36
Guidelines for Using Router ACLs and VLAN Maps, page 28-36
Examples of Router ACLs and VLAN Maps Applied to VLANs, page 28-37
Whenever possible, try to write the ACL with all entries having a single action except for the final,
default action of the other type. That is, write the ACL using one of these two forms:
permit...
permit...
permit...
deny ip any any
or
deny...
deny...
deny...
permit ip any any
To define multiple actions in an ACL (permit, deny), group each action type together to reduce the
number of entries.
Chapter 28
Configuring Network Security with ACLs
78-11194-09
Advertisement
Table of Contents
Troubleshooting
