Configuring Acls On Private Vlans; Capturing Traffic Flows - Cisco WS-C6506 Software Manual

Chapter 15 Configuring Access Control
Dynamic ARP Inspection is enabled for vlan(s) 100.
Console> (enable) set port arp-inspection 2/2 trust enable
Port(s)
Console> (enable) set security acl arp-inspection dynamic log enable
Dynamic ARP Inspection logging enabled.
Console> show security acl arp-inspection config
Match-mac feature is disabled.
Address-validation feature is disabled.
Dynamic ARP Inspection is disabled on vlan(s) 1,1006-1013.
Dynamic ARP Inspection is enabled on vlan(s) 100.
Logging for Dynamic ARP Inspection rules is enabled.
Console>

Configuring ACLs on Private VLANs

Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be
either community VLANs or isolated VLANs. In releases prior to software release 6.1(1), you could
configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary
VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows:
•
•
•
•
•
If you map a VACL to a primary VLAN, it filters the traffic from the router to the host and if you map a
VACL to a secondary VLAN, it filters the traffic from the host to the router.
With software release 6.2(1) and later releases, you can use two-way community VLANs to perform an
Note
inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the boundary
of a private VLAN through a promiscuous port. Both the outbound and inbound traffic can be carried on
the same VLAN allowing VLAN-based VACLs to be applied in both directions on a per-community
(per-customer) basis.
For additional information on private VLANs, see the
Note
section on page

Capturing Traffic Flows

See the
details.
OL-8978-04
2/2 state set to trusted for ARP Inspection.
You can map VACLs to secondary VLANs or primary VLANs.
Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary
VLANs.
You cannot map Cisco IOS ACLs to secondary VLANs.
You cannot map dynamic ACEs to a private VLAN.
You can map QoS ACLs to secondary VLANs or primary VLANs.
11-19.
"Capturing Traffic Flows on Specified Ports" section on page 15-57
"Configuring Private VLANs on the Switch"
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Using VACLs in Your Network
for complete configuration
15-43