Vlan Maps And Router Acl Configuration Guidelines; Vacl Logging - Cisco Catalyst 2960-XR Security Configuration Manual
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
VACL Logging
When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not
Note
logged if they are denied by a VLAN map.
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the
type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified,
the packet is forwarded if it does not match any VLAN map entry.
VLAN Maps and Router ACL Configuration Guidelines
These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same
VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and VLAN
maps on different VLANs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both router
ACL and VLAN map configuration:
• You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN
• Whenever possible, try to write the ACL with all entries having a single action except for the final,
• To define multiple actions in an ACL (permit, deny), group each action type together to reduce the
• Avoid including Layer 4 information in an ACL; adding this information complicates the merging
VACL Logging
When you configure VACL logging, syslog messages are generated for denied IP packets under these
circumstances:
• When the first matching packet is received.
• For any matching packets received within the last 5 minutes.
• If the threshold is reached before the 5-minute interval.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
118
interface.
default action of the other type. That is, write the ACL using one of these two forms:
permit... permit... permit... deny ip any any
or
deny... deny... deny... permit ip any any
number of entries.
process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and
destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol
ports). It is also helpful to use don't care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the
filtering of traffic based on IP addresses.
Configuring IPv4 ACLs
OL-29434-01
Advertisement
Table of Contents
