Table of Contents
Advertisement
Using VACLs in your Network
Figure 16-7 Deny Access to a Server on Another VLAN
10.1.1.100
Server (VLAN 10)
Host (VLAN 10)
Host (VLAN 10)
Restricting ARP Traffic
This feature is only available with Supervisor Engine 2 with PFC2.
Note
ARP traffic is permitted on each VLAN by default. You can disallow ARP traffic on a per VLAN basis
using the set security acl ip acl_name deny arp command. When you enter this command, ARP traffic
is disallowed on the VLAN that the ACL is mapped to. To allow ARP traffic on a VLAN that has had
ARP traffic disallowed, enter the set security acl ip acl_name permit arp command.
Configuring ACLs on Private VLANs
Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be
either community VLANs or isolated VLANs. In releases prior to software release 6.1(1), you could
configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary
VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows:
•
•
•
•
•
If you map a VACL to a primary VLAN, it filters the traffic from the router to the host and if you map
a VACL to a secondary VLAN, it filters the traffic from the host to the router.
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
16-26
VACL
10.1.1.4
Catalyst 6500 series switches
10.1.1.8
You can map VACLs to secondary VLANs or primary VLANs.
Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary
VLANs.
You cannot map Cisco IOS ACLs to secondary VLANs.
You cannot map dynamic ACEs to a private VLAN.
You can map QoS ACLs to secondary VLANs or primary VLANs.
Host (VLAN 20)
with PFC
Chapter 16
Configuring Access Control
Subnet
10.1.2.0/24
78-13315-02
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
