Using Vlan Maps With Router Acls; Vlan Maps And Router Acl Configuration Guidelines - Cisco Catalyst 3560-X Software Configuration Manual

Hide thumbs Also See for Catalyst 3560-X:

Command reference manual (1188 pages)

Software configuration manual (1438 pages)

Manual (276 pages)

Table of Contents

Using VLAN Maps with Router ACLs

Use the no vlan access-map command with a sequence number to delete a map sequence. Use the no

version of the command without a sequence number to delete the map.

This example shows how to configure a VLAN access map to drop and log IP packets. Here IP traffic

matching the permit entries in net_10 is dropped and logged.

DomainMember(config)# vlan access-map ganymede 10

DomainMember(config-access-map)# match ip address net_10

DomainMember(config-access-map)# action drop log

DomainMember(config-access-map)# exit

This example shows how to configure global VACL logging parameters:

DomainMember(config)# vlan access-log maxflow 800

DomainMember(config)# vlan access-log threshold 4000

For complete syntax and usage information of the commands used in this section, see the Cisco IOS LAN

Switching Command Reference:

http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_book.html

Using VLAN Maps with Router ACLs

Router ACLs and VLAN maps are not supported on switches running the LAN base feature set.

To access control both bridged and routed traffic, you can use VLAN maps only or a combination of

router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN

interfaces, and you can define a VLAN map to access control the bridged traffic.

If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL

configuration, the packet flow is denied.

When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not

logged if they are denied by a VLAN map.

If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match

the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action

specified, the packet is forwarded if it does not match any VLAN map entry.

These guidelines are for configurations where you need to have an router ACL and a VLAN map on the

same VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and

VLAN maps on different VLANs.

The switch hardware provides one lookup for security ACLs for each direction (input and output);

therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN.

Merging the router ACL with the VLAN map might significantly increase the number of ACEs.

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

VLAN Maps and Router ACL Configuration Guidelines, page 1-40

Examples of Router ACLs and VLAN Maps Applied to VLANs, page 1-41

Configuring Network Security with ACLs

Troubleshooting

Catalyst 3750-x

Using Vlan Maps With Router Acls; Vlan Maps And Router Acl Configuration Guidelines - Cisco Catalyst 3560-X Software Configuration Manual

Using VLAN Maps with Router ACLs

VLAN Maps and Router ACL Configuration Guidelines

Troubleshooting

Related Manuals for Cisco Catalyst 3560-X

Related Content for Cisco Catalyst 3560-X

This manual is also suitable for:

Table of Contents