35-5
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 35 Configuring Network Security with ACLs
Hardware and Software ACL Support
VLAN Maps
VLAN maps can control the access of all traffic in a VLAN. You can apply VLAN maps on the switch
to all packets that are routed into or out of a VLAN or are bridged within a VLAN. Unlike router ACLs,
VLAN maps are not defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. Access of all non-IP protocols
is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic is not
controlled by MAC ACLs in VLAN maps.) You can enforce VLAN maps only on packets going through
the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding packets is permitted or denied, based on the action specified in the map.
Figure 35-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in
VLAN 10 from being forwarded.
Figure 35-2 Using VLAN Maps to Control Traffic
Hardware and Software ACL Support
This section describes how to determine whether ACLs are processed in hardware or in software:
• Flows that match a deny statement in standard and extended ACLs (input only) are dropped in
hardware if ICMP unreachable messages are disabled.
• Flows that match a permit statement in standard and extended ACLs (input and output) are processed
in hardware.
• The following ACL types are not supported in software:
–
Standard Xerox Network Systems (XNS) Protocol access list
–
Extended XNS access list
–
DECnet access list
–
Protocol type-code access list
–
Standard Internet Packet Exchange (IPX) access list
–
Extended IPX access list
Si
Host B
(VLAN 10)
Host A
(VLAN 10)
94153
= VLAN map denying specific type
of traffic from Host A
= Packet
Catalyst 4500 series switch
To Next Page
Loading...
Need help?
General
