Table of Contents
Advertisement
Chapter 35
Configuring Network Security with ACLs
VLAN Maps and Router ACL Configuration Guidelines
These guidelines are for configurations where you need to have an router ACL and a VLAN map on the
same VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and
VLAN maps on different VLANs.
The switch hardware provides one lookup for security ACLs for each direction (input and output);
therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN.
Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both
router ACL and VLAN map configuration:
•
•
•
•
Examples of Router ACLs and VLAN Maps Applied to VLANs
This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged,
routed, and multicast packets. Although the following illustrations show packets being forwarded to their
destination, each time the packet's path crosses a line indicating a VLAN map or an ACL, it is also
possible that the packet might be dropped, rather than forwarded.
ACLs and Switched Packets
Figure 35-5
within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN
map of the input VLAN.
OL-13270-06
You can configure only one VLAN map and one router ACL in each direction (input/output) on a
VLAN interface.
Whenever possible, try to write the ACL with all entries having a single action except for the final,
default action of the other type. That is, write the ACL using one of these two forms:
permit...
permit...
permit...
deny ip any any
or
deny...
deny...
deny...
permit ip any any
To define multiple actions in an ACL (permit, deny), group each action type together to reduce the
number of entries.
Avoid including Layer 4 information in an ACL; adding this information complicates the merging
process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source
and destination) and not on the full flow (source IP address, destination IP address, protocol, and
protocol ports). It is also helpful to use don't care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to
the filtering of traffic based on IP addresses.
shows how an ACL is applied on packets that are switched within a VLAN. Packets switched
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
Using VLAN Maps with Router ACLs
35-39
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
