Chapter 23
Configuring Network Security
Command
Router(config)# no vlan filter map_name [vlan-list
vlan_list | interface type
1. type = pos, atm, or serial
2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor
When applying a VLAN access map, note the following syntax information:
•
•
•
•
•
•
•
See the
Verifying VLAN Access Map Configuration
To verify VLAN access map configuration, perform this task:
Command
Router# show vlan access-map [map_name]
Router# show vlan filter [access-map map_name | vlan
vlan_id | interface type
1. type = pos, atm, or serial
2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor
VLAN Access Map Configuration and Verification Examples
Assume IP-named ACL net_10 and any_host are defined as follows:
Router# show ip access-lists net_10
Extended IP access list net_10
Router# show ip access-lists any_host
Standard IP access list any_host
78-14064-04
1
2
number
]
You can apply the VLAN access map to one or more VLANs or WAN interfaces.
The vlan_list parameter can be a single VLAN ID or a comma-separated list of VLAN IDs or VLAN
ID ranges (vlan_ID–vlan_ID).
If you delete a WAN interface that has a VACL applied, the VACL configuration on the interface is
also removed.
You can apply only one VLAN access map to each VLAN or WAN interface.
VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.
VACLs applied to VLANs without a Layer 3 VLAN interface are inactive. With releases 12.1(13)E
and later, applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an
administratively down Layer 3 VLAN interface to support the VLAN access map. If creation of the
Layer 3 VLAN interface fails, the VACL is inactive.
You cannot apply a VACL to a secondary private VLAN. VACLs applied to primary private VLANs
also apply to secondary private VLANs.
Use the no keyword to clear VLAN access maps from VLANs or WAN interfaces.
"VLAN Access Map Configuration and Verification Examples" section on page
1
2
number
]
permit ip 10.0.0.0 0.255.255.255 any
permit any
Purpose
Removes the VLAN access map from the specified VLANs or
WAN interfaces.
Purpose
Verifies VLAN access map configuration by displaying the
content of a VLAN access map.
Verifies VLAN access map configuration by displaying the
mappings between VACLs and VLANs.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
Configuring VLAN ACLs
23-15.
23-15