23-16
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter 23 Configuring Network Security
Configuring VLAN ACLs
This example shows how to define and apply a VLAN access map to forward IP packets. In this example,
IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop
action. The map is applied to VLAN 12 to 16.
Router(config)# vlan access-map thor 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)# vlan filter thor vlan-list 12-16
This example shows how to define and apply a VLAN access map to drop and log IP packets. In this
example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:
Router(config)# vlan access-map ganymede 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action drop log
Router(config-access-map)# exit
Router(config)# vlan access-map ganymede 20
Router(config-access-map)# match ip address any_host
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)# vlan filter ganymede vlan-list 7-9
This example shows how to define and apply a VLAN access map to forward and capture IP packets. In
this example, IP traffic matching net_10 is forwarded and captured and all other IP packets are dropped:
Router(config)# vlan access-map mordred 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward capture
Router(config-access-map)# exit
Router(config)# vlan filter mordred vlan-list 2, 4-6
Configuring a Capture Port
A port configured to capture VACL-filtered traffic is called a capture port.
Note To apply IEEE 802.1Q or ISL tags to the captured traffic, configure the capture port to trunk
unconditionally (see the “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section
on page 7-8 and the “Configuring the Layer 2 Trunk Not to Use DTP” section on page 7-9).
To configure a capture port, perform this task:
Command Purpose
Step 1
Router(config)# interface {{type
1
slot/port}
1. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
Specifies the interface to configure.
Step 2
Router(config-if)# switchport capture allowed
vlan {add | all | except | remove} vlan_list
(Optional) With Release 12.1(13)E and later releases,
filters the captured traffic on a per-destination-VLAN
basis. The default is all.
Router(config-if)# no switchport capture allowed
vlan
Clears the configured destination VLAN list and returns
to the default value (all).
Step 3
Router(config-if)# switchport capture
Configures the port to capture VACL-filtered traffic.
Router(config-if)# no switchport capture
Disables the capture function on the interface.
To Next Page
Loading...
Need help?
General
