33-18
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter33 Configuring Network Security with ACLs
Configuring VLAN Maps
Denying Access to a Server on Another VLAN
Figure 33-4 shows how to restrict access to a server on another VLAN. In this example, server
10.1.1.100 in VLAN 10 has the following access restrictions:
Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
Figure33-4 Deny Access to a Server on Another VLAN
This procedure configures ACLs with VLAN maps to deny access to a s erver on another VLAN. The
VLAN map SERVER 1_ACL denies access to hosts in subnet 10.1.2.0/8, host 10.1.1.4, and host
10.1.1.8. Then it permits all other IP traffic. In Step 3, VLAN map SE RVER1 is applied to VLAN 10.
To configure this scenario, you could take the following steps:
Step1 Define the IP ACL to match and permit the correct packets.
Switch(config)# ip access-list extended SERVER1_ACL
Switch(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100
Switch(config-ext-nacl))# exit
Step2 Define a VLAN map using the ACL to drop IP packets that match SERVER1_ACL and forward IP
packets that do not match the ACL.
Switch(config)# vlan access-map SERVER1_MAP
Switch(config-access-map)# match ip address SERVER1_ACL
Switch(config-access-map)# action drop
Switch(config)# vlan access-map SERVER1_MAP 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Step3 Apply the VLAN map to VLAN 10.
Switch(config)# vlan filter SERVER1_MAP
vlan-list 10.
Catalyst 4500 series switch Host (VLAN 20)
Host (VLAN 10)
Host (VLAN 10)
Server (VLAN 10)
94155
VLAN map
Subnet
10.1.2.0/8
10.1.1.100
10.1.1.4
10.1.1.8
Packet