19-35
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter19 Configuring Network Securi ty with ACLs Configuring VLAN Maps
Then, apply VLAN access map map2to VLAN 1.
Switch(config)# vlan filter map2 vlan 1
Denying Access to a Server on Another VLAN
You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs
to have access restricted as follows (see Figure19-5):
Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
Figure19-5 Deny Access to a Server on Another VLAN
This example shows how to deny access to a server on another VLAN b y crea ti ng th e VLAN m ap
SERVER 1 that denies access to hosts in subnet 10.1.2.0/8, host 10.1.1.4, and host 10.1 .1.8 and permits
other IP traffic. The final step is to apply the map SERVER1 to VLAN 10.
Step 1 Define the IP ACL that will match the correct packets.
Switch(config)# ip access-list extended SERVER1_ACL
Switch(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100
Switch(config-ext-nacl))# exit
Step 2 Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward
IP packets that do not match the ACL.
Switch(config)# vlan access-map SERVER1_MAP
Switch(config-access-map)# match ip address SERVER1_ACL
Switch(config-access-map)# action drop
Switch(config)# vlan access-map SERVER1_MAP 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Step 3 Apply the VLAN map to VLAN 10.
Switch(config)# vlan filter SERVER1_MAP vlan-list 10.
Catalyst 3550 switch
with enhanced multilayer
software image
Host (VLAN 20)
Host (VLAN 10)
Host (VLAN 10)
Server (VLAN 10)
47178
VLAN map
Subnet
10.1.2.0/8
10.1.1.100
10.1.1.4
10.1.1.8
Packet