Which Catalyst 6500 feature provides network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN?

Explanation:

VLAN access control lists (VACLs) provide network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN.

VACLs can be used to provide security based on MAC address, source and destination IP address, Layer 4 protocols, or port numbers. The VACL will act on all traffic of a select VLAN whether bridged or switched. The actions performed on a packet can include permit, redirect, or deny. The VACL entries are checked in sequence, which is similar in concept to route-map structures. The following procedure is used to create VACLs:

Define a VLAN access map:
switch(config)# vlan access-map name [seq#]

Configure a match clause:
switch(config-access-map)# match {ip address {1-99 | 1300-2699 | acl_name} | mac address acl_name}

Configure an action clause:
switch(config-access-map)# action {drop | forward | redirect}

Apply the map to a VLAN:
switch(config)# vlan filter map_name vlan-list list

Once created, you should verify the VACLs using the following commands:

switch# show vlan access-map map_name
switch# show vlan filter

In the sample configuration shown below, all VLAN traffic in VLANS 1 through 3 that match access list SAFE will be forwarded. All other traffic will be dropped.

switch(config)# vlan access-map cisco 10
switch(config-access-map)# match ip-address SAFE
switch(config-access-map)# action forward
switch(config)# vlan filter cisco vlan-list 1-3

If access list cisco were configured as shown below, for example, traffic with a source address of 172.16.10.8 would be dropped.

Switch# show ip access-list cisco 10
Extended ip access list cisco 10
10 permit 10.0.0.0 255.255.255.0 any

Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features