Table of Contents
Advertisement
Using VLAN Maps with Router ACLs
Step 2
Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward
IP packets that do not match the ACL.
Switch(config)# vlan access-map SERVER1_MAP
Switch(config-access-map)# match ip address SERVER1_ACL
Switch(config-access-map)# action drop
Switch(config)# vlan access-map SERVER1_MAP 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Apply the VLAN map to VLAN 10.
Step 3
Switch(config)# vlan filter SERVER1_MAP vlan-list 10.
Using VLAN Maps with Router ACLs
To access control routed traffic, you can use VLAN maps only or a combination of router ACLs and
VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces. If a packet
flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration, the
packet flow is denied.
Note
When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not
logged if they are denied by a VLAN map.
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match
the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action
specified, the packet is forwarded if it does not match any VLAN map entry.
These sections contain information about using VLAN maps with router ACLs:
•
•
VLAN Maps and Router ACL Configuration Guidelines
These guidelines are for configurations where you need to have an router ACL and a VLAN map on the
same VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and
VLAN maps on different VLANs.
The switch hardware provides one lookup for security ACLs for each direction (input and output);
therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN.
Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both
router ACL and VLAN map configuration:
•
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
28-36
VLAN Maps and Router ACL Configuration Guidelines, page 28-36
Examples of Router ACLs and VLAN Maps Applied to VLANs, page 28-37
You can configure only one VLAN map and one router ACL in each direction (input/output) on a
VLAN interface.
Chapter 28
Configuring Network Security with ACLs
78-17058-01
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
