Cisco Systems 3130 User Manual
34-36
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter 34 Configuring Network Security with ACLs
Using VLAN Maps with Router ACLs
Using VLAN Maps with Router ACLs
To access control both bridged and routed traffic, you can use VLAN maps only or a combination of
router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN
interfaces, and you can define a VLAN map to access control the bridged traffic.
router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN
interfaces, and you can define a VLAN map to access control the bridged traffic.
If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL
configuration, the packet flow is denied.
configuration, the packet flow is denied.
Note
When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not
logged if they are denied by a VLAN map.
logged if they are denied by a VLAN map.
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match
the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action
specified, the packet is forwarded if it does not match any VLAN map entry.
the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action
specified, the packet is forwarded if it does not match any VLAN map entry.
These sections contain information about using VLAN maps with router ACLs:
•
•
VLAN Maps and Router ACL Configuration Guidelines
These guidelines are for configurations where you need to have an router ACL and a VLAN map on the
same VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and
VLAN maps on different VLANs.
same VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and
VLAN maps on different VLANs.
The switch hardware provides one lookup for security ACLs for each direction (input and output);
therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN.
Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN.
Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both
router ACL and VLAN map configuration:
router ACL and VLAN map configuration:
•
You can configure only one VLAN map and one router ACL in each direction (input/output) on a
VLAN interface.
VLAN interface.
•
Whenever possible, try to write the ACL with all entries having a single action except for the final,
default action of the other type. That is, write the ACL using one of these two forms:
default action of the other type. That is, write the ACL using one of these two forms:
permit...
permit...
permit...
deny ip any any
permit...
permit...
deny ip any any
or
deny...
deny...
deny...
permit ip any any
deny...
deny...
permit ip any any
•
To define multiple actions in an ACL (permit, deny), group each action type together to reduce the
number of entries.
number of entries.