VACL
- VLAN access map similar to route-map
- Is used to apply a layer3 filter to layer2 transit traffic.
- Uses route-map logic to permit(forward) or deny(drop) traffic.
- Changes made to the access-map, will not take effect until the access-map is removed and re-applied.
- ONLY a ACL-permit performs the "forward"/"drop" function in the access-map. A ACL-deny will be ignored.
- So to deny traffic with VLAN ACL's, permit the traffic and use a "drop" action in the access-map.
MAC-ACL’s will only match NON-IP traffic.
- Cisco 3560 switch sees IPv6 traffic as IP-traffic, but a Cisco 3550 switch sees IPv6 traffic as NON-IP-traffic.
- Ethertypes are not fully listed on IOS command help or DOC-CD,
memorise!
0x0806 0x0 : ARP
0x0800 0x0 : IPv4
0x86DD 0x0 : IPv6
0xAAAA 0x0 : CISCO proprietary (STP, PAGP, VTP, PVST+, CDP, DTP, and UDLD)
0x4242 0x0 : CST
config-set: Blocks all ICMP echo’s & IPv6 on VLAN-162 but forward all other
access-list 101 permit icmp any any echo
mac access-list extended EtherType
permit any any 0xAAAA 0x0
!
vlan access-map VACL 10
action drop
match ip address 101 - Drops ICMP Echo
vlan access-map VACL 20
action drop
match mac address EtherType
vlan access-map VACL 30
action forward - Forwards all other traffic
!
vlan filter VACL vlan-list 162 - Applies access-map
VIRTUALRACK for Network Engineers... This blog is all about networking technologies that drives the human network today... Welcome to the Human Network!!
No comments:
Post a Comment