23-14
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter 23 Configuring Network Security
Configuring VLAN ACLs
Configuring an Action Clause in a VLAN Access Map Sequence
To configure an action clause in a VLAN access map sequence, perform this task:
When configuring an action clause in a VLAN access map sequence, note the following syntax
information:
• You can set the action to drop, forward, forward capture, or redirect packets.
• VACLs applied to WAN interfaces support only the forward capture action. VACLs applied to WAN
interfaces do not support the drop, forward, or redirect actions.
• Forwarded packets are still subject to any configured Cisco IOS security ACLs.
• The capture action sets the capture bit for the forwarded packets so that ports with the capture
function enabled can receive the packets. Only forwarded packets can be captured. For more
information about the capture action, see the “Configuring a Capture Port” section on page 23-16.
• The log action is supported only on Supervisor Engine 2.
• VACLs applied to WAN interfaces do not support the log action.
• When the log action is specified, dropped packets are logged in software. Only dropped IP packets
can be logged.
• The redirect action allows you to specify up to five interfaces, which can be physical interfaces or
EtherChannels. You cannot specify packets to be redirected to an EtherChannel member or a VLAN
interface.
• For systems with a Supervisor Engine 2, the redirect interface must be in the VLAN for which the
VACL access map is configured. For systems with Supervisor Engine 1, the redirect interface must
be in the redirected packet’s source VLAN.
• Use the no keyword to remove an action clause or specified redirect interfaces.
See the “VLAN Access Map Configuration and Verification Examples” section on page 23-15.
Applying a VLAN Access Map
To apply a VLAN access map, perform this task:
Command Purpose
Router(config-access-map)# action {drop [log]} |
{forward [capture]} | {redirect {{ethernet |
fastethernet | gigabitethernet | tengigabitethernet}
slot/port} | {port-channel channel_id}}
Configures the action clause in a VLAN access map
sequence.
Router(config-access-map)# no action {drop [log]} |
{forward [capture]} | {redirect {{ethernet |
fastethernet | gigabitethernet | tengigabitethernet}
slot/port} | {port-channel channel_id}}
Deletes the action clause in from the VLAN access map
sequence.
Command Purpose
Router(config)# vlan filter map_name {vlan-list
vlan_list | interface type
1
number
2
} CP_CmdPlain
Applies the VLAN access map to the specified VLANs or
WAN interfaces.
To Next Page
Loading...
Need help?
General
