Leaflet
10
OL-11615-01
Console> (enable) set security acl ip IPACL1 permit host 172.20.53.4 0.0.0.0
IPACL1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable)
Console> (enable) commit security acl all
ACL commit in progress.
ACL IPACL1 is committed to hardware.
Console> (enable)
Console> (enable) set security acl map IPACL1 10
ACL IPACL1 mapped to vlan 10
Console> (enable)
This example shows a MAC-based VACL called MACACL1 and that permits all traffic from
8-2-3-4-7-A. This VACL is then mapped to VLAN 20:
Console> (enable) set security acl mac MACACL1 permit host 8-2-3-4-7-A any
MACACL1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable)
Console> (enable) commit security acl all
ACL commit in progress.
ACL IPACL1 is committed to hardware.
Console> (enable)
Console> (enable) set security acl map MACACL1 20
ACL IPACL1 mapped to vlan 20
Console> (enable)
For more information on how to configure VACLs on Catalyst 6500 running Catalyst OS, refer to the
following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/confg_gd/acc_list.htm
Configuring VACLs in Cisco IOS
To configure a VACL in Cisco IOS software, perform the following steps:
Step 1 Create a VLAN map using the vlan access-map command.
Step 2 Set an action for the VLAN map (drop, forward) using the action VLAN map command.
Step 3 Define a match criteria based on either an IP or MAC-based ACL using the match VLAN map
command.
Step 4 Apply the VLAN map to one or more VLANs using the vlan filter command.
In the following example, the VLAN map is configured to drop IP packets and to forward MAC packets
by default. By applying standard ACL 101 and the extended named access lists igmp-match and
tcp-match, the VLAN map is configured to do the following:
• Forward all UDP packets
• Drop all IGMP packets
• Forward all TCP packets
• Drop all other IP packets
• Forward all non-IP packets
!--- Initially create the IP ACLs used for the match criteria