Chapter 16
Configuring Access Control
With software releases 6.2(1) and later, you can use two-way community VLANs to perform an
Note
inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the
boundary of a private VLAN through a promiscuous port. Both outbound and inbound traffic can be
carried on the same VLAN allowing VLAN-based VACLs to be applied in both directions on a
per-community (per customer) basis.
For additional information on private VLANS, see the
Note
page
Capturing Traffic Flows
See the
details.
Unsupported Features
This section lists ACL-related features that are not supported or have limited support on the
Catalyst 6000 family switches.
•
•
•
78-13315-02
11-13.
"Capturing Traffic Flows on Specified Ports" section on page 16-38
Non-IP version 4/non-IPX Cisco IOS ACLs—The following types of Cisco IOS security ACLs
cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software
and this significantly degrades system performance:
Bridge-group ACLs
–
IP accounting
–
–
Inbound and outbound rate limiting
–
Standard IPX with source node number
–
IPX extended access lists that specify a source node number or socket numbers are not enforced
in the hardware
–
Standard XNS access list
–
Extended XNS access list
–
DECnet access list
Extended MAC address access list
–
Protocol type-code access list
–
IP packets with a header length of less than five will not be access controlled.
Non full-flow IPX VACL—IPX VACL is based on a flow specified by a source/destination network
number, packet type, and destination node number only. The source node number and socket number
are not supported when specifying the IPX flow.
"Configuring Private VLANs" section on
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Unsupported Features
for complete configuration
16-27