Cisco Systems EA6500 Manual De Usuario
23-16
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 23 Configuring Network Security
Configuring VLAN ACLs
This example shows how to define and apply a VLAN access map to forward IP packets. In this example,
IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop
action. The map is applied to VLAN 12 to 16.
IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop
action. The map is applied to VLAN 12 to 16.
Router(config)# vlan access-map thor 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)# vlan filter thor vlan-list 12-16
This example shows how to define and apply a VLAN access map to drop and log IP packets. In this
example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:
example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:
Router(config)# vlan access-map ganymede 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action drop log
Router(config-access-map)# exit
Router(config)# vlan access-map ganymede 20
Router(config-access-map)# match ip address any_host
Router(config-access-map)# action forward
Router(config-access-map)# exit
Router(config)# vlan filter ganymede vlan-list 7-9
This example shows how to define and apply a VLAN access map to forward and capture IP packets. In
this example, IP traffic matching net_10 is forwarded and captured and all other IP packets are dropped:
this example, IP traffic matching net_10 is forwarded and captured and all other IP packets are dropped:
Router(config)# vlan access-map mordred 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward capture
Router(config-access-map)# exit
Router(config)# vlan filter mordred vlan-list 2, 4-6
Configuring a Capture Port
A port configured to capture VACL-filtered traffic is called a capture port.
Note
To apply IEEE 802.1Q or ISL tags to the captured traffic, configure the capture port to trunk
unconditionally (see the
unconditionally (see the
and the
To configure a capture port, perform this task:
Command
Purpose
Step 1
Router(config)# interface {{type
1
slot/port}
1.
type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
Specifies the interface to configure.
Step 2
Router(config-if)# switchport capture allowed
vlan
{add | all | except | remove} vlan_list
(Optional) With Release 12.1(13)E and later releases,
filters the captured traffic on a per-destination-VLAN
basis. The default is all.
filters the captured traffic on a per-destination-VLAN
basis. The default is all.
Router(config-if)# no switchport capture allowed
vlan
Clears the configured destination VLAN list and returns
to the default value (all).
to the default value (all).
Step 3
Router(config-if)# switchport capture
Configures the port to capture VACL-filtered traffic.
Router(config-if)# no switchport capture
Disables the capture function on the interface.