Chapter 34 Configuring Network Security with ACLs

Configuring VLAN Maps

Examples of ACLs and VLAN Maps

These examples show how to create ACLs and VLAN maps that for specific purposes.

Example 1

This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1ACL to permit any TCP packet and no other packets. Because there is a match clause for IP packets in the VLAN map, the default action is to drop any IP packet that does not match any of the match clauses.

Switch(config)# ip access-list extended ip1

Switch(config-ext-nacl)# permit tcp any any

Switch(config-ext-nacl)# exit

Switch(config)# vlan access-map map_1 10

Switch(config-access-map)# match ip address ip1

Switch(config-access-map)# action drop

This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. In this map, any IP packets that did not match any of the previous ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped.

Switch(config)# ip access-list extended ip2

Switch(config-ext-nacl)# permit udp any any

Switch(config-ext-nacl)# exit

Switch(config)# vlan access-map map_1 20

Switch(config-access-map)# match ip address ip2

Switch(config-access-map)# action forward

Example 2

In this example, the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets. Used with standard ACL 101 and extended named access lists igmp-matchand tcp-match, the map will have the following results:

Forward all UDP packets

Drop all IGMP packets

Forward all TCP packets

Drop all other IP packets

Forward all non-IP packets

Switch(config)# access-list 101 permit udp any any

Switch(config)# ip access-list extended igmp-match

Switch(config-ext-nacl)# permit igmp any any

Switch(config)# ip access-list extended tcp-match

Switch(config-ext-nacl)# permit tcp any any

Switch(config-ext-nacl)# exit

Switch(config)# vlan access-map drop-ip-default 10

Switch(config-access-map)# match ip address 101

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan access-map drop-ip-default 20

Switch(config-access-map)# match ip address igmp-match

Switch(config-access-map)# action drop

Switch(config-access-map)# exit

Switch(config)# vlan access-map drop-ip-default 30

Switch(config-access-map)# match ip address tcp-match

Switch(config-access-map)# action forward

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

34-32

OL-9775-02

Page 730
Image 730
Cisco Systems 3750E manual Examples of ACLs and Vlan Maps, 34-32