28-34
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter28 Configuring Network Security with ACLs
Configuring VLAN Maps
Using VLAN Maps in Your Network
These sections describes some typical uses for VLAN maps:
Wiring Closet Configuration, page 28-34
Denying Access to a Server on Another VLAN, page 28-35

Wiring Closet Configuration

In a wiring closet configuration, routing might not be enabled on the swi tc h. In th is co nfigurat ion, t h e
switch can still support a VLAN map and a QoS classification ACL. In Figure28-4, assume that Host X
and Host Y are in different VLANs and are connected to wiring closet switches A and C. Traffic from
Host X to Host Y is eventually being routed by Switch B, a Layer 3 switch with routing enabled. Traffic
from Host X to Host Y can be access-controlled at the traffic entry point, Switch A.
Figure28-4 Wiring Closet Configuration
If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on
Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34)
at Switch A and not forward it to Switch B.
First, define the IP access list http that permits (matches) any TCP traffic on the HTTP port.
Switch(config)# ip access-list extended http
Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
Switch(config-ext-nacl)# exit
Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all
other IP traffic is forwarded.
Switch(config)# vlan access-map map2 10
Switch(config-access-map)# match ip address http
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch A Switch C
Switch B
VLAN map: Deny HTTP
from X to Y.
HTTP is dropped
at entry point.
Host X
10.1.1.32 Host Y
10.1.1.34
VLAN 1
VLAN 2
Packet
101355