The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To create a new VLAN access-map entry or to configure an existing VLAN access-map entry, use the vlan access-map command. To remove a VLAN access-map entry, use the no form of this command.
vlan access-map map-name [sequence-number]
no vlan access-map map-name [sequence-number]
sequence-number |
(Optional) Sequence number of the VLAN access-map entry that you are creating or editing. A sequence number can be any integer between 1 and 4294967295. By default, the first entry in a VLAN access map has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the VLAN access map and assigns a sequence number that is 10 greater than the sequence number of the preceding entry. When you use the no form of the command, use the sequence-number argument to specify an entry that you want to remove. Omit the sequence-number argument if you want to remove the entire VLAN access map. |
map-name |
Name of the VLAN access map that you want to create or configure. The map-name argument can be up to 64 alphanumeric, case-sensitive characters. |
None
Global configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Each VLAN access-map entry can include one action command and one or more match command.
Use the statistics per-entry command to configure the device to record statistics for a VLAN access-map entry.
This command does not require a license.
This example shows how to create a VLAN access map named vlan-map-01, add two entries that each have two match commands and one action command, and enable statistics for the packets matched by the second entry:
switch(config)# vlan access-map vlan-map-01 switch(config-access-map)# match ip address ip-acl-01 switch(config-access-map)# action forward switch(config-access-map)# match mac address mac-acl-00f switch(config-access-map)# vlan access-map vlan-map-01 switch(config-access-map)# match ip address ip-acl-320 switch(config-access-map)# match mac address mac-acl-00e switch(config-access-map)# action drop switch(config-access-map)# statistics per-entry switch(config-access-map)# show vlan access-map Vlan access-map vlan-map-01 10 match ip: ip-acl-01 match mac: mac-acl-00f action: forward Vlan access-map vlan-map-01 20 match ip: ip-acl-320 match mac: mac-acl-00e action: drop statistics per-entry
Command |
Description |
---|---|
action |
Specifies an action for traffic filtering in a VLAN access map. |
match |
Specifies an ACL for traffic filtering in a VLAN access map. |
show vlan access-map |
Displays all VLAN access maps or a VLAN access map. |
show vlan filter |
Displays information about how a VLAN access map is applied. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
vlan filter |
Applies a VLAN access map to one or more VLANs. |
To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.
vlan filter map-name vlan-list VLAN-list
no vlan filter map-name vlan-list VLAN-list
map-name |
Name of the VLAN access map that you want to create or configure. |
||
vlan-list VLAN-list |
Specifies the ID of one or more VLANs that the VLAN access map filters. Valid VLAN IDs are from 1 to 4096. Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, use 70-100. Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, use 20,70-100,142.
|
None
Global configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can apply a VLAN access map to one or more VLANs.
You can apply only one VLAN access map to a VLAN.
The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.
This command does not require a license.
This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:
switch# configure t switch(config)# vlan filter vlan-map-01 20-45
This example show how to use the no form of the command to unapply the VLAN access map named vlan-map-01 from VLANs 30 through 32, which leaves the access map applied to VLANs 20 through 29 and 33 through 45:
switch# show vlan filter vlan map vlan-map-01: Configured on VLANs: 20-45 switch(config)# no vlan filter vlan-map-01 30-32 switch# show vlan filter vlan map vlan-map-01: Configured on VLANs: 20-29,33-45
Command |
Description |
---|---|
action |
Specifies an action for traffic filtering in a VLAN access map. |
match |
Specifies an ACL for traffic filtering in a VLAN access map. |
show vlan access-map |
Displays all VLAN access maps or a VLAN access map. |
show vlan filter |
Displays information about how a VLAN access map is applied. |
vlan access-map |
Configures a VLAN access map. |
To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.
vlan policy deny
no vlan policy deny
This command has no arguments or keywords.
All VLANs
User role configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command denies all VLANs to the user role except for those that you allow using thepermit vlan command in user role VLAN policy configuration mode.
This command does not require a license.
This example shows how to enter user role VLAN policy configuration mode for a user role:
switch# configure t switch(config)# role name MyRole switch(config-role)# vlan policy deny switch(config-role-vlan)#
This example shows how to revert to the default VLAN policy for a user role:
switch# configure t switch(config)# role name MyRole switch(config-role)# no vlan policy deny
Command |
Description |
---|---|
permit vlan |
Allows a VLAN in a user role VLAN policy. |
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
To enter virtual forwarding and routing instance (VRF) policy configuration mode for a user role, use thevrf policy deny command. To revert to the default VRF policy for a user role, use the no form of this command.
vrf policy deny
no vrf policy deny
This command has no arguments or keywords.
All VRFs
User role configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command denies all VRFs to the user role except for those that you allow using thepermit vrf command in user role VRF policy configuration mode.
This command does not require a license.
This example shows how to enter VRF policy configuration mode for a user role:
switch# configure t switch(config)# role name MyRole switch(config-role)# vrf policy deny switch(config-role-vrf)#
This example shows how to revert to the default VRF policy for a user role:
switch# configure t switch(config)# role name MyRole switch(config-role)# no vrf policy deny
Command |
Description |
---|---|
vrf permit |
Permits VRFs in a user role VRF policy. |
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |