Filter
Top Products
28-35
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
78-17058-01
Chapter 28 Configuring Network Security with ACLs
Configuring VLAN Maps
Switch(config)# ip access-list extended match_all
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map2 20
Switch(config-access-map)# match ip address match_all
Switch(config-access-map)# action forward
Then, apply VLAN access map map2 to VLAN 1.
Switch(config)# vlan filter map2 vlan 1
Denying Access to a Server on Another VLAN
You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs
to have access denied to these hosts (see Figure 28-5):
• Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
• Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
Figure 28-5 Deny Access to a Server on Another VLAN
This example shows how to deny access to a server on another VLAN by creating the VLAN map
SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits
other IP traffic. The final step is to apply the map SERVER1 to VLAN 10.
Step 1 Define the IP ACL that will match the correct packets.
Switch(config)# ip access-list extended SERVER1_ACL
Switch(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100
Switch(config-ext-nacl))# exit
Layer 3 switch
Host (VLAN 20)
Host (VLAN 10)
Host (VLAN 10)
Server (VLAN 10)
101356
VLAN map
Subnet
10.1.2.0/8
10.1.1.100
10.1.1.4
10.1.1.8
Packet