Chapter 62
Configuring Network Security with ACLs
Example 4
In this example, the VLAN map is configured to drop all packets (IP and non-IP). By applying access
lists tcp-match and good-hosts, the VLAN map is configured to do the following:
•
•
•
•
Switch(config)# vlan access-map drop-all-default 10
Switch(config-access-map)# match ip address tcp-match
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan access-map drop-all-default 20
Switch(config-access-map)# match mac address good-hosts
Switch(config-access-map)# action forward
Applying a VLAN Map to a VLAN
To apply a VLAN map to one or more VLANs, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# vlan filter mapname
vlan-list list
Step 3
Switch(config)# show running-config
Step 4
Switch(config)# copy running-config
startup-config
You cannot apply a VLAN map to a VLAN on a switch that has ACLs applied to Layer 2 interfaces (port
Note
ACLs).
This example shows how to apply VLAN map 1 to VLANs 20 through 22:
Switch(config)# vlan filter map 1 vlan-list 20-22
Using VLAN Maps in Your Network
Figure 62-3
connected to wiring closet switches A and C. Traffic moving from Host X to Host Y is routed by Switch
B. Access to traffic moving from Host X to Host Y can be controlled at the entry point of Switch A. In
the following configuration, the switch can support a VLAN map and a QoS classification ACL.
Forward all TCP packets
Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211
Drop all other IP packets
Drop all other MAC packets
shows a typical wiring closet configuration. Host X and Host Y are in different VLANs,
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Purpose
Enters global configuration mode.
Applies the VLAN map to one or more VLAN IDs.
The list can be a single VLAN ID (22), a consecutive list (10-22), or
a string of VLAN IDs (12, 22, 30). Spaces around comma, and dash,
are optional.
Displays the access list configuration.
(Optional) Saves your entries in the configuration file.
Configuring VLAN Maps
62-25