Cisco Systems 6500 Manual

A SERVICE OF

next previous

23-15

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Chapter 23 Configuring Network Security

Configuring VLAN ACLs

When applying a VLAN access map, note the following syntax information:

• You can apply the VLAN access map to one or more VLANs or WAN interfaces.

• The vlan_list parameter can be a single VLAN ID or a comma-separated list of VLAN IDs or VLAN

ID ranges (vlan_ID–vlan_ID).

• If you delete a WAN interface that has a VACL applied, the VACL configuration on the interface is

also removed.

• You can apply only one VLAN access map to each VLAN or WAN interface.

• VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.

VACLs applied to VLANs without a Layer 3 VLAN interface are inactive. With releases 12.1(13)E

and later, applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an

administratively down Layer 3 VLAN interface to support the VLAN access map. If creation of the

Layer 3 VLAN interface fails, the VACL is inactive.

• You cannot apply a VACL to a secondary private VLAN. VACLs applied to primary private VLANs

also apply to secondary private VLANs.

• Use the no keyword to clear VLAN access maps from VLANs or WAN interfaces.

See the “VLAN Access Map Configuration and Verification Examples” section on page 23-15.

Verifying VLAN Access Map Configuration

To verify VLAN access map configuration, perform this task:

VLAN Access Map Configuration and Verification Examples

Assume IP-named ACL net_10 and any_host are defined as follows:

Router# show ip access-lists net_10

Extended IP access list net_10

permit ip 10.0.0.0 0.255.255.255 any

Router# show ip access-lists any_host

Standard IP access list any_host

permit any

Router(config)# no vlan filter map_name [vlan-list

vlan_list | interface type

1

number

2

]

Removes the VLAN access map from the specified VLANs or

WAN interfaces.

1. type = pos, atm, or serial

2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

Command Purpose

Command Purpose

Router# show vlan access-map [map_name]

Verifies VLAN access map configuration by displaying the

content of a VLAN access map.

Router# show vlan filter [access-map map_name | vlan

vlan_id | interface type

1

number

2

]

1. type = pos, atm, or serial

2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor

Verifies VLAN access map configuration by displaying the

mappings between VACLs and VLANs.