Vlan Map Configuration Guidelines; Vlan Maps With Router Acls - Cisco Catalyst 2960-XR Security Configuration Manual
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Configuring IPv4 ACLs
• Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU
VLAN Map Configuration Guidelines
VLAN maps are the only way to control filtering within a VLAN. VLAN maps have no direction. To filter
traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or
destination addresses. If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the
default action is to drop the packet if the packet does not match any of the entries within the map. If there is
no match clause for that type of packet, the default is to forward the packet.
The following are the VLAN map configuration guidelines:
• If there is no ACL configured to deny traffic on an interface and no VLAN map is configured, all traffic
• Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A
• If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does
• Logging is not supported for VLAN maps.
• When a switch has an IP access list or MAC access list applied to a Layer 2 interface, and you apply a
• If a VLAN map configuration cannot be applied in hardware, all packets in that VLAN are dropped.
• When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the
VLAN Maps with Router ACLs
To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router
ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and
you can define a VLAN map to access control the bridged traffic.
If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration,
the packet flow is denied.
OL-29434-01
for logging only. If the ACE is a permit statement, the packet is still switched and routed in hardware.
is permitted.
packet that comes into the switch is tested against the first entry in the VLAN map. If it matches, the
action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against
the next entry in the map.
not match any of these match clauses, the default is to drop the packet. If there is no match clause for
that type of packet in the VLAN map, the default is to forward the packet.
VLAN map to a VLAN that the port belongs to, the port ACL takes precedence over the VLAN map.
ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external
port, the private-VLAN map is applied at the ingress side.
◦ For frames going upstream from a host port to a promiscuous port, the VLAN map configured on
the secondary VLAN is applied.
◦ For frames going downstream from a promiscuous port to a host port, the VLAN map configured
on the primary VLAN is applied.
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
VLAN Map Configuration Guidelines
117
Advertisement
Table of Contents
