16-26
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 16 Configuring Access Control
Using VACLs in your Network
Figure 16-7 Deny Access to a Server on Another VLAN
Restricting ARP Traffic
Note
This feature is only available with Supervisor Engine 2 with PFC2.
ARP traffic is permitted on each VLAN by default. You can disallow ARP traffic on a per VLAN basis
using the
set security acl ip
acl_name
deny arp
command. When you enter this command, ARP traffic
is disallowed on the VLAN that the ACL is mapped to. To allow ARP traffic on a VLAN that has had
ARP traffic disallowed, enter the
set security acl ip
acl_name
permit arp
command.
Configuring ACLs on Private VLANs
Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be
either community VLANs or isolated VLANs. In releases prior to software release 6.1(1), you could
configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary
VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows:
•
You can map VACLs to secondary VLANs or primary VLANs.
•
Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary
VLANs.
•
You cannot map Cisco IOS ACLs to secondary VLANs.
•
You cannot map dynamic ACEs to a private VLAN.
•
You can map QoS ACLs to secondary VLANs or primary VLANs.
If you map a VACL to a primary VLAN, it filters the traffic from the router to the host and if you map
a VACL to a secondary VLAN, it filters the traffic from the host to the router.
Catalyst 6500 series switches
with PFC
Host (VLAN 20)
Host (VLAN 10)
Host (VLAN 10)
Server (VLAN 10)
26963
VACL
Subnet
10.1.2.0/24
10.1.1.100
10.1.1.4
10.1.1.8