Configuring VLAN Maps
that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet
does not match any of the entries within the map. If there is no match clause for that type of packet, the
default is to forward the packet.
To create a VLAN map and apply it to one or more VLANs, follow these steps:
Create the standard or extended IP ACLs or named MAC extended ACLs that you want to apply to the
Step 1
VLAN.
Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Step 2
In access map configuration mode, you have the option to enter an action (forward [the default] or
drop) and enter the match command to specify an IP packet or a non-IP packet and to match the packet
against one or more ACLs (standard or extended). If a match clause is not specified, the action is applied
to all packets. The match clause can be used to match against multiple ACLs. If a packet matches any of
the specified ACLs, the action is applied.
Note
Use the vlan filter global configuration command to apply a VLAN map to one or more VLANs.
Step 3
Note
You cannot apply a VLAN map to a VLAN on a switch that has ACLs applied to Layer 2 interfaces (port
ACLs).
VLAN Map Configuration Guidelines
When configuring VLAN maps, consider these guidelines:
•
•
•
•
•
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
51-18
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not
match the type, the default is to drop the packet. If there is no match clause in the VLAN map
for that type of packet, and no action specified, the packet is forwarded.
VLAN maps do not filter IPv4 ARP packets.
If there is no router ACL configured to deny traffic on a routed VLAN interface (input or output),
and no VLAN map configured, all traffic is permitted.
Each VLAN map consists of a series of entries. The order of entries in a VLAN map is important.
A packet that comes into the switch is tested against the first entry in the VLAN map. If it matches,
the action specified for that part of the VLAN map is taken. If there is no match, the packet is tested
against the next entry in the map.
If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet
does not match any of these match clauses, the default is to drop the packet. If there is no match
clause for that type of packet in the VLAN map, the default is to forward the packet.
The system might take longer to boot if you have configured a very large number of ACLs.
Chapter 51
Configuring Network Security with ACLs
OL-25340-01