Applies the VLAN access map to the specified VLANs

VACLs (also called VLAN access maps in Cisco IOS software) apply to all traffic on the VLAN. You can configure VACLs for IP, and MAC-layer traffic.

VACLs follow route-map conventions, in which map sequences are checked in order.

When a matching permit ACE is encountered, the switch takes the action. When a matching deny ACE is encountered, the switch checks the next ACL in the sequence or checks the next sequence.

Three VACL actions are permitted:

■ Permit (with capture, Catalyst 6500 only)

■ Redirect (Catalyst 6500 only)

■ Deny (with logging, Catalyst 6500 only)

The VACL capture option copies traffic to specified capture ports. VACL ACEs installed in hardware are merged with RACLs and other features.

Two features are supported on only the Cisco Catalyst 6500:

■ VACL capture: Forwarded packets are captured on capture ports. The capture option is on only permit ACEs. The capture port can be an IDS monitor port or any Ethernet port. The capture port must be in an output VLAN for Layer 3 switched traffic.

■ VACL redirect: Matching packets are redirected to specified ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where a VACL is applied.

© 2006 Cisco Systems, Inc. Minimizing Service Loss and Data Theft in a Campus Network 8-31

Configuring VACLs

To configure VACLs, complete these steps.



Switch(config)#vlan access-map map name [seq#]

Switch(config-access-map)#action {drop [log]} | {forward [capture]} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}}

Switch(config-access-map)#action {drop [log]} | {forward [capture]} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}}

Switch(config)#vlan filter map name vlan list list


Verify the VACL configuration. Switch#show vlan access-map map name

Switch#show vlan filter [ access-map map name | vlan id ]

Switch(config)# vlan access-map PxR1 10 Switch(config)# match ip address 1 Switch(config)# action drop Switch(config)# vlan access-map PxR1 20 Switch(config)# action forward Switch(config)#

Switch(config)#vlan filter PxR1vacl vlan_list 1-4094 Switch(config)#

Switch(config)# access-list 1 permit !

vlan access-map PxR1 10 action drop match ip address 1 vlan access-map PxR1 20

action forward vlan filter VACL vlan-list 1-4094

vlan internal allocation policy ascending !

8-32 Building Cisco Multilayer Switched Networks (BCMSN) v3.0 © 2006 Cisco Systems, Inc.

Explaining PVLANs

This topic explains the purpose of a PVLAN.

This topic explains the purpose of a PVLAN.

Secondary VLAN 200 (Isolated) Secondary VLAN 201 (Community)

Secondary VLANs -►

Primary VLAN

Secondary VLAN 200 (Isolated) Secondary VLAN 201 (Community)

Service providers often have devices from multiple clients, in addition to their own servers, on a single Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it becomes necessary to provide traffic isolation between devices, even though they may exist on the same Layer 3 segment and VLAN. Catalyst 6500/4500 switches implement PVLANs to keep some switch ports shared and some switch ports isolated, although all ports exist on the same VLAN. The 2950 and 3550 support "protected ports," which are functionality similar to PVLANs on a per-switch basis.

The traditional solution to address these Internet service provider (ISP) requirements is to provide one VLAN per customer, with each VLAN having its own IP subnet. A Layer 3 device then provides interconnectivity between VLANs and Internet destinations.

Here are the challenges with this traditional solution:

■ Supporting a separate VLAN per customer may require a high number of interfaces on service provider network devices.

■ Spanning tree becomes more complicated with many VLAN iterations.

■ Network address space must be divided into many subnets, which wastes space and increases management complexity.

■ Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.

PVLANs provide Layer 2 isolation between ports within the same VLAN. This isolation eliminates the need for a separate VLAN and IP subnet per customer.

Minimizing Service Loss and Data Theft in a Campus Network

PVLAN Port Types

This subtopic discusses PVLAN port types.

PVLAN Port Types

0 0

Post a comment