Cisco WS-C6506 - Configuring Acls on Private Vlans; Capturing Traffic Flows

1488 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

15-43

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

OL-8978-04

Chapter 15 Configuring Access Control

Using VACLs in Your Network

Dynamic ARP Inspection is enabled for vlan(s) 100.

Console> (enable) set port arp-inspection 2/2 trust enable

Port(s) 2/2 state set to trusted for ARP Inspection.

Console> (enable) set security acl arp-inspection dynamic log enable

Dynamic ARP Inspection logging enabled.

Console> show security acl arp-inspection config

Match-mac feature is disabled.

Address-validation feature is disabled.

Dynamic ARP Inspection is disabled on vlan(s) 1,1006-1013.

Dynamic ARP Inspection is enabled on vlan(s) 100.

Logging for Dynamic ARP Inspection rules is enabled.

Console>

Configuring ACLs on Private VLANs

Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be

either community VLANs or isolated VLANs. In releases prior to software release 6.1(1), you could

configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary

VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows:

• You can map VACLs to secondary VLANs or primary VLANs.

• Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary

VLANs.

• You cannot map Cisco IOS ACLs to secondary VLANs.

• You cannot map dynamic ACEs to a private VLAN.

• You can map QoS ACLs to secondary VLANs or primary VLANs.

If you map a VACL to a primary VLAN, it filters the traffic from the router to the host and if you map a

VACL to a secondary VLAN, it filters the traffic from the host to the router.

Note With software release 6.2(1) and later releases, you can use two-way community VLANs to perform an

inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the boundary

of a private VLAN through a promiscuous port. Both the outbound and inbound traffic can be carried on

the same VLAN allowing VLAN-based VACLs to be applied in both directions on a per-community

(per-customer) basis.

Note For additional information on private VLANs, see the “Configuring Private VLANs on the Switch”

section on page 11-19.

Capturing Traffic Flows

See the “Capturing Traffic Flows on Specified Ports” section on page 15-57 for complete configuration

details.

Table of Contents

Related product manuals

Preview: Cisco WS-C6509

Preview: Cisco WS-C2950-24

Cisco WS-C2950-24

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Cisco WS-C2940-8TT-S

Preview: Cisco WS-C3750-48PS-S

Cisco WS-C3750-48PS-S

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-C3560-48PS-S

Cisco WS-C3560-48PS-S

Preview: Cisco WS-C2960L-8TS-LL

Cisco WS-C2960L-8TS-LL

Preview: Cisco WS-C3560E-24PD-E

Cisco WS-C3560E-24PD-E

Cisco WS-C3750G-48PS-S

Preview: Cisco WS-C2960L-24TS-LL

Cisco WS-C2960L-24TS-LL

Preview: Cisco Catalyst WS-C3850-24T-L

Cisco Catalyst WS-C3850-24T-L