25-32
Catalyst 3750 Metro Switch Software Configuration Guide
78-15870-01
Chapter 25 Configuring Network Security with ACLs
Configuring VLAN Maps
Wiring Closet Configuration
In a wiring closet configuration, routing might not be enabled on the switch. In this configuration, the
switch can still support a VLAN map and a QoS classification ACL. In Figure 25-4, assume that Host X
and Host Y are in different VLANs and are connected to wiring closet switches A and C. Traffic from
Host X to Host Y is eventually being routed by Switch B, which has routing enabled. Traffic from Host
X to Host Y can be access-controlled at the traffic entry point, Switch A.
Figure 25-4 Wiring Closet Configuration
If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on
Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34)
at Switch A and not bridge it to Switch B.
First, define the IP access list http that permits (matches) any TCP traffic on the HTTP port.
Switch(config)# ip access-list extended http
Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
Switch(config-ext-nacl)# exit
Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all
other IP traffic is forwarded.
Switch(config)# vlan access-map map2 10
Switch(config-access-map)# match ip address http
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# ip access-list extended match_all
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map2 20
Switch(config-access-map)# match ip address match_all
Switch(config-access-map)# action forward
Then, apply VLAN access map map2 to VLAN 1.
Switch(config)# vlan filter map2 vlan 1
Switch A Switch C
Switch B
VLAN map: Deny HTTP
from X to Y.
HTTP is dropped
at entry point.
Host X
10.1.1.32
Host Y
10.1.1.34
VLAN 1
VLAN 2
Packet
101355
To Next Page
Loading...
