Cisco WS-X6416-GE-MT - Interface Module - Expansion Instrukcja Użytkownika Pobierz pdf (Strona 34)

White Paper

VLAN Access Control Lists (VACLs)

For the Cisco Catalyst OS, configuring a security ACL statement creates a VACL. This statement

is used to configure all match and action parameters for the security policy.

The VACL configuration in Cisco IOS Software is based on the traditional Cisco IOS Software ACL

implementation. That is, it relies on the Cisco IOS Software access-list command to define the

traffic matching parameters. From there, all configuration (including ACL reference and action) is

done from the “vlan access-map” configuration mode. Although Cisco IOS Software action is a CLI

concept which is not present in the Cisco Catalyst OS, it provides similar capture, log, and redirect

functionality. Refer to the user documentation for specifics on these options. The following

provides a general comparison between VACL configuration in the Cisco Catalyst OS and Cisco

IOS Software.

Cisco Catalyst OS Cisco IOS Software

set vlan 10

set security acl ip sample permit ip any any

commit security acl sample

set security acl map sample 10

vlan 10

access-list 101 permit ip any any

vlan access-map sample

match ip address 101

action forward

vlan filter sample vlan-list 10

Note: When creating a VACL in Cisco IOS Software, an SVI for that VLAN interface is created

automatically. While this interface is required, it is not necessary for the interface to be configured

or even in an “up” state for the VACL to operate properly.

In the Cisco Catalyst OS, when an ACL is created, modified, or deleted, the changes exist

temporarily in an edit buffer in memory. The Cisco Catalyst OS requires that the ACL be committed

for it to take effect. In contrast, Cisco IOS Software does not utilize the edit buffer concept. After a

policy has been built in Cisco IOS Software, it must then be mapped to a VLAN or interface for that

ACL to take effect.

VACL Capture

The VACL Capture feature is a useful extension to VACLs. This feature is essentially a port-

mirroring function where packets that match the specified flows are captured and transmitted out of

capture ports. You can create a VACL to identify traffic that you would like to make a copy of and

send to a destination port for analysis (using a network analyzer or otherwise). This does not affect

the performance of the captured traffic; the original data will move through the box as it is

intended. It provides a very granular tool for network troubleshooting and analysis as well as a

scalable alternative to the traditional Switch Port ANalyzer (SPAN) feature.

1 2 ... 29 30 31 32 33 34 35 36 37 38 39 ... 50 51

Brak uwag

Cisco WS-X6416-GE-MT - Interface Module - Expansion Instrukcja Użytkownika Strona 34