Table of Contents
Advertisement
Chapter 31
Configuring Network Security with ACLs
Using VLAN Maps with Router ACLs
To access control both bridged and routed traffic, you can use VLAN maps only or a combination of
router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN
interfaces, and you can define a VLAN map to access control the bridged traffic.
If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL
configuration, the packet flow is denied.
Note
When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not
logged if they are denied by a VLAN map.
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match
the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action
specified, the packet is forwarded if it does not match any VLAN map entry.
This section includes this information about using VLAN maps with router ACLs:
•
•
Guidelines
These guidelines are for configurations where you need to have an router ACL and a VLAN map on the
same VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and
VLAN maps on different VLANs.
The switch hardware provides one lookup for security ACLs for each direction (input and output);
therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN.
Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both
router ACL and VLAN map configuration:
•
•
•
78-16180-02
Guidelines, page 31-37
Examples of Router ACLs and VLAN Maps Applied to VLANs, page 31-38
You can configure only one VLAN map and one router ACL in each direction (input/output) on a
VLAN interface.
Whenever possible, try to write the ACL with all entries having a single action except for the final,
default action of the other type. That is, write the ACL using one of these two forms:
permit...
permit...
permit...
deny ip any any
or
deny...
deny...
deny...
permit ip any any
To define multiple actions in an ACL (permit, deny), group each action type together to reduce the
number of entries.
Using VLAN Maps with Router ACLs
Catalyst 3750 Switch Software Configuration Guide
31-37
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
