Cisco Systems EA6500 Manual De Usuario
23-15
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 23 Configuring Network Security
Configuring VLAN ACLs
When applying a VLAN access map, note the following syntax information:
•
You can apply the VLAN access map to one or more VLANs or WAN interfaces.
•
The vlan_list parameter can be a single VLAN ID or a comma-separated list of VLAN IDs or VLAN
ID ranges (vlan_ID–vlan_ID).
ID ranges (vlan_ID–vlan_ID).
•
If you delete a WAN interface that has a VACL applied, the VACL configuration on the interface is
also removed.
also removed.
•
You can apply only one VLAN access map to each VLAN or WAN interface.
•
VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.
VACLs applied to VLANs without a Layer 3 VLAN interface are inactive. With releases 12.1(13)E
and later, applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an
administratively down Layer 3 VLAN interface to support the VLAN access map. If creation of the
Layer 3 VLAN interface fails, the VACL is inactive.
VACLs applied to VLANs without a Layer 3 VLAN interface are inactive. With releases 12.1(13)E
and later, applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an
administratively down Layer 3 VLAN interface to support the VLAN access map. If creation of the
Layer 3 VLAN interface fails, the VACL is inactive.
•
You cannot apply a VACL to a secondary private VLAN. VACLs applied to primary private VLANs
also apply to secondary private VLANs.
also apply to secondary private VLANs.
•
Use the no keyword to clear VLAN access maps from VLANs or WAN interfaces.
See the
Verifying VLAN Access Map Configuration
To verify VLAN access map configuration, perform this task:
VLAN Access Map Configuration and Verification Examples
Assume IP-named ACL net_10 and any_host are defined as follows:
Router# show ip access-lists net_10
Extended IP access list net_10
permit ip 10.0.0.0 0.255.255.255 any
Router# show ip access-lists any_host
Standard IP access list any_host
permit any
Router(config)# no vlan filter map_name [vlan-list
vlan_list | interface type
number
Removes the VLAN access map from the specified VLANs or
WAN interfaces.
WAN interfaces.
1.
type = pos, atm, or serial
2.
number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor
Command
Purpose
Command
Purpose
Router# show vlan access-map [map_name]
Verifies VLAN access map configuration by displaying the
content of a VLAN access map.
content of a VLAN access map.
Router# show vlan filter [access-map map_name | vlan
vlan_id | interface type
1
number
2
]
1.
type = pos, atm, or serial
2.
number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor
Verifies VLAN access map configuration by displaying the
mappings between VACLs and VLANs.
mappings between VACLs and VLANs.