62-26
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Configuring VLAN Maps
Figure 62-3 Wiring Closet Configuration
For example, if you do not want HTTP traffic to be switched from Host X to Host Y, you could apply a
VLAN map on Switch A to drop all HTTP traffic moving from Host X (IP address 10.1.1.32) to Host Y
(IP address 10.1.1.34) at Switch A and not bridge the traffic to Switch B. To configure this scenario, you
would do the following.
First, define an IP access list HTTP to permit (match) any TCP traffic on the HTTP port, as follows:
Switch(config)# ip access-list extended http
Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
Switch(config-ext-nacl)# exit
Next, create a VLAN access map named map2 so that traffic that matches the HTTP access list is
dropped and all other IP traffic is forwarded, as follows:
Switch(config)# vlan access-map map2 10
Switch(config-access-map)# match ip address http
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# ip access-list extended match_all
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map2 20
Switch(config-access-map)# match ip address match_all
Switch(config-access-map)# action forward
You then apply the VLAN access map named map2 to VLAN 1, as follows:
Switch(config)# vlan filter map2 vlan 1
Catalyst 4500 series switch
Switch A Switch C
Switch B
VLAN map: Deny HTTP
from X to Y
HTTP is dropped
at entry point
Host X
10.1.1.32
Host Y
10.1.1.34
VLAN 1
VLAN 2
Packet
94154
Si
To Next Page
Loading...
Need help?
General
