V Commands

vlan access-map

To create a new VLAN access-map entry or to configure an existing VLAN access-map entry, use the vlan access-map command. To remove a VLAN access-map entry, use the no form of this command.

vlan access-map map-name [sequence-number]

no vlan access-map map-name [sequence-number]

Syntax Description

sequence-number

(Optional) Sequence number of the VLAN access-map entry that you are creating or editing.

A sequence number can be any integer between 1 and 4294967295.

By default, the first entry in a VLAN access map has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the VLAN access map and assigns a sequence number that is 10 greater than the sequence number of the preceding entry.

When you use the no form of the command, use the sequence-number argument to specify an entry that you want to remove. Omit the sequence-number argument if you want to remove the entire VLAN access map.

map-name

Name of the VLAN access map that you want to create or configure. The map-name argument can be up to 64 alphanumeric, case-sensitive characters.

Command Default

None

Command Modes


Global configuration

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Each VLAN access-map entry can include one action command and one or more match command.

Use the statistics per-entry command to configure the device to record statistics for a VLAN access-map entry.

This command does not require a license.

Examples

This example shows how to create a VLAN access map named vlan-map-01, add two entries that each have two match commands and one action command, and enable statistics for the packets matched by the second entry: 


switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# match mac address mac-acl-00f
switch(config-access-map)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-320
switch(config-access-map)# match mac address mac-acl-00e
switch(config-access-map)# action drop
switch(config-access-map)# statistics per-entry
switch(config-access-map)# show vlan access-map
Vlan access-map vlan-map-01 10
        match ip: ip-acl-01
        match mac: mac-acl-00f
        action: forward
Vlan access-map vlan-map-01 20
        match ip: ip-acl-320
        match mac: mac-acl-00e
        action: drop
        statistics per-entry

Related Commands

Command

Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

statistics per-entry

Enables collection of statistics for each entry in an ACL.

vlan filter

Applies a VLAN access map to one or more VLANs.

vlan filter

To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.

vlan filter map-name vlan-list VLAN-list

no vlan filter map-name vlan-list VLAN-list

Syntax Description

map-name

Name of the VLAN access map that you want to create or configure.

vlan-list VLAN-list

Specifies the ID of one or more VLANs that the VLAN access map filters. Valid VLAN IDs are from 1 to 4096.

Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, use 70-100.

Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, use 20,70-100,142.

Note

 
When you use the no form of this command, the VLAN-list argument is optional. If you omit this argument, the device removes the access map from all VLANs where the access map is applied.

Command Default

None

Command Modes


Global configuration

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

You can apply a VLAN access map to one or more VLANs.

You can apply only one VLAN access map to a VLAN.

The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.

This command does not require a license.

Examples

This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45: 


switch# configure t
switch(config)# vlan filter vlan-map-01 20-45

This example show how to use the no form of the command to unapply the VLAN access map named vlan-map-01 from VLANs 30 through 32, which leaves the access map applied to VLANs 20 through 29 and 33 through 45: 


switch# show vlan filter
vlan map vlan-map-01:
        Configured on VLANs:    20-45
switch(config)# no
 vlan filter vlan-map-01 30-32
switch# show vlan filter
vlan map vlan-map-01:
        Configured on VLANs:    20-29,33-45

Related Commands

Command

Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan access-map

Configures a VLAN access map.

vlan policy deny

To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.

vlan policy deny

no vlan policy deny

Syntax Description

This command has no arguments or keywords.

Command Default

All VLANs

Command Modes


User role configuration

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

This command denies all VLANs to the user role except for those that you allow using thepermit vlan command in user role VLAN policy configuration mode.

This command does not require a license.

Examples

This example shows how to enter user role VLAN policy configuration mode for a user role: 


switch# configure t
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)#

This example shows how to revert to the default VLAN policy for a user role: 


switch# configure t
switch(config)# role name MyRole
switch(config-role)# no vlan policy deny

Related Commands

Command

Description

permit vlan

Allows a VLAN in a user role VLAN policy.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.

vrf policy deny

To enter virtual forwarding and routing instance (VRF) policy configuration mode for a user role, use thevrf policy deny command. To revert to the default VRF policy for a user role, use the no form of this command.

vrf policy deny

no vrf policy deny

Syntax Description

This command has no arguments or keywords.

Command Default

All VRFs

Command Modes


User role configuration

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

This command denies all VRFs to the user role except for those that you allow using thepermit vrf command in user role VRF policy configuration mode.

This command does not require a license.

Examples

This example shows how to enter VRF policy configuration mode for a user role: 


switch# configure t
switch(config)# role name MyRole
switch(config-role)# vrf policy deny
switch(config-role-vrf)#

This example shows how to revert to the default VRF policy for a user role: 


switch# configure t
switch(config)# role name MyRole
switch(config-role)# no vrf policy deny

Related Commands

Command

Description

vrf permit

Permits VRFs in a user role VRF policy.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.